Refresh tokens are an attractive target for attackers, since they represent the overall grant a resource owner delegated to a certain client. If an attacker is able to exfiltrate and successfully replay a refresh token, the attacker will be able to mint access tokens and use them to access resource servers on behalf of the resource owner.
OAuth 2.0 Security Best Current Practice (draft 25) (SecBCP, section 4.14)
This threat is considered fully mitigated if all the test cases from the following test set succeed.
Back to the threat overview