Some flows allow applications to obtain refresh tokens. However, there can be some security implications of handling refresh tokens in the browser.

When using a refresh token, confidential clients also have to authenticate. Public clients, such as browser-based applications, do not authenticate during the Refresh Token flow. So in a typical front-end application, refresh tokens issued to front-end web applications are bearer tokens.

In practice, this means that if an attacker manages to steal a refresh token from a front-end application, they can use that token in a Refresh Token flow. To counter such attacks, the OAuth 2.0 specification mandates that browser-based applications apply a security measure known as refresh token rotation.

When refresh token rotation is enabled for an application, refresh tokens can be used only once. Every time the client uses a refresh token, the authorization server issues a new access token and a new refresh token. When the application wants to run another Refresh Token flow, it uses the refresh token that was issued most recently.

When an application uses a refresh token, it always receives a new refresh token for next time. As a result, refresh tokens are used only once.

However, if an attacker uses malicious code to steal an application's refresh token, the application won’t be aware that the refresh token has been stolen, so it will keep using the refresh token to obtain new access tokens (and refresh tokens). The attacker, who has stolen a refresh token, also wants to get a new access token (and refresh token). As a result, either the attacker or the client application will use a refresh token for the second time.

Refresh token reuse likely indicates that a second party is trying to use a stolen refresh token. In response to this reuse, the authorization server immediately revokes the reused refresh token, along with all descendant tokens.

For more information, see A Critical Analysis of Refresh Token Rotation in Single-page Applications on the Ping Identity blog.

For information about configuring refresh tokens, see Editing an application - OIDC.