I need to authenticate your users via oauth, the idea was simple, make the type described habré https://habrahabr.ru/company/Voximplant/blog/323160/
The villain stole user tokens and used refreshes - the user has updated the token and the villain threw.
The villain stole user tokens and used refreshes - the user logged in, and villain again thrown out.
But then the problem arises - what to do if the user is sitting with multiple devices? When he login from the second computer cannot be distinguished, stole his last session, and he perhalogenated deprived of access token, or wants to keep the two sessions.
You can of course login to get more and refresh which failed to be updated, but it may have adopted and not spike way?