Hi @aaronpk, do you know if any OAuth provider like Okta allows to set refresh tokens as HttpOnly cookie and whose token endpoint reads that cookie? Asking for a browser-based public client which can't safely store refresh tokens outside of memory otherwise.

That's non-standard behavior so I'm not sure anyone is doing that. But there is some discussion about bringing this idea into the working group for standardization.

Thanks! Rotation doesn't help against the theft itself, only alerts afterwards. I'm not familiar with sender constraints, but probably difficult to implement for public clients? Cookies would be a simple and proven solution, at least for *browser-based* public clients.