Suppose a client "C" sends a request with an expired access token, to an
Suppose that application "A" has the refresh token of client "C" and
"A" automatically uses this refresh token so that everything is transparent
for client "C" until the refresh token expires as well.
The trouble is that a leak of the access token (yes, access token) of
client "C" will have the same result as a leak of the refresh token.
Is it a good practice to implement automatic refresh of the token? If it's
not, how should we use the refresh token?
The Oauth 2.0 RFC (https://tools.ietf.org/html/rfc6819#section-126.96.36.199
explains that we have to bind the refresh token to the client_id to avoid
this situation. However, I am not able to understand what it means for