Depending on the client type, there are different ways that refresh tokens may be revealed to an attacker. An attacker may obtain the refresh tokens issued to a web application by way of overcoming the web server's security controls. On native clients, refresh tokens may be read from the local file system or the device could be stolen or cloned.
OAuth 2.0 Threat Model and Security Considerations (RFC6819, section 4.1.2)
This threat is considered fully mitigated if all the test cases from one of the following test sets succeed.
The impact factor is a measure that indicates how important a given countermeasure is towards mitigating a threat.
Back to the threat overview