Replying to @aaronpk
And what about this JavaScriptWebTokens I hear about. The JWTs
This tweet is unavailable
If you read the post I talk about exactly that issue and provide sample code for doing auth code + PKCE entirely in JavaScript
This tweet is unavailable
Totally depends on your risk tolerance. Browsers are always a more risky environment, so that's something to keep in mind with refresh tokens. If you are going to issue refresh tokens to JS, definitely rotate them after every use.
1