Depending on the client type, there are different ways that refresh tokens may be revealed to an attacker. An attacker may obtain the refresh tokens issued to a web application by way of overcoming the web server's security controls. On native clients, refresh tokens may be read from the local file system or the device could be stolen or cloned.
OAuth 2.0 Threat Model and Security Considerations (RFC6819, section 4.1.2)
This threat is considered fully mitigated if all the test cases from the following test set succeed.
Back to the threat overview