And the associated question of will there be enough authorization no refresh token?
This token is not just used.
1) You do not make the user login every time you expire a primary token. Token updated without user intervention by using the refresh token.
2) If you have stolen tokens - your refresh token becomes irrelevant , the site requires that you have passed authentication with login and password. After successful completion of this procedure you will be issued a new pair of token and refresh token. Accordingly, kidnapped you have refresh token turns into a pumpkin. So when the usual token the attacker is rotten , he can't get a new one.