Yes, a Connection represents a link to between a local user account and an account the user has with a ServiceProvider. The Connection consists of an access token, and yes, in Greenhouse an Connection remains established until the user chooses to disconnect. A third-party ServiceProvider we are connecting to may choose to invalidate the access token at any time, however, as we don't control that.
OAuth2 introduces the concept of "scope", where a OAuth connection can have specific authorization scope e.g. READ_ONLY vs. READ_WRITE. Facebook is an example of a ServiceProvider that uses this concept heavily, as you can use a variety of scopes when connecting to their API. The "scope" concept is definitely a property of the Connection, which has an association with a local Account. In Greenhouse, we're not doing anything with such a concept as we don't have a requirement for different access levels for our API. If we did, yes, I could imagine being able to lookup a scope property of the Connection object to determine what the user has allowed access to.
Core Spring Development Team