So what steps are common to identify which clients are allowed to refresh a token through my server? That’s the main issue that I’m having with this.
And I’m not afraid of it, I’m just thinking it’s a new risk (however small it is) that is unnecessary for clientside apps, when at the same time it doesn’t improve security (as long as I can’t properly determine which clients are allowed to refresh a token).
It’s quite obvious that expiring tokens makes sense. It’s ridiculous that tokens last for years. It’s just a huge step from “tokens last literally forever” to “tokens last half a day”. And using a client secret and refresh token makes sense as well, for serverside applications. And reauthorizing silently through the implicit flow in webapps make sense as well. It’s just that one kind of application where I don’t see how it makes sense. I mean I’d rather have my users not notice refreshing tokens at all, instead of using the Implicit Flow once a month (theoretically, if Twitch would allow longer lasting tokens), so it’d be better to just throw together some serverside code and be done with it. But I’d rather actually think this through and understand how I can make it as secure as possible.