...
The RFC does explicitly call out the support for refresh tokens for public Clients in Section 10.4. Here is the relevant quote from the spec:
| No Format | ||
|---|---|---|
| ||
Authorization servers MAY issue refresh tokens to web application clients and native application clients. |
However, it goes on to suggest that the server should detect unauthorized refresh token usage:
| No Format | ||
|---|---|---|
| ||
When client authentication is not possible, the authorization server SHOULD deploy other means to detect refresh token abuse. For example, the authorization server could employ refresh token rotation in which a new refresh token is issued with every access token refresh response. The previous refresh token is invalidated but retained by the authorization server. If a refresh token is compromised and subsequently used by both the attacker and the legitimate client, one of them will present an invalidated refresh token, which will inform the authorization server of the breach. |
...