Oauth2 PKCE - Can the refresh_token be trusted?

Question

If a have a mobile that is authorized against my server using PKCE, which allows it to get a access_token and a refresh_token, to what extent should I trust that the app can use the refresh_token from now on to get the access_token? Surely the same concerns that led the standard to invent PKCE are at play here?

I am asking because while I was playing around with a Ruby library for Auth2, I discovered that this is OK to do, which perplexed me. Shouldn't this particular use case just ban refresh_tokens?

EDIT: Not sure if this will turn out to be the answer, but perhaps we assume here that (given a TLS connection), the refresh_token was sent back to the app securely and as long as the app is talking to the server directly we are good?

Answer 1

The OAuth2 authorization code grant has two phases:

1. Exchange primary credentials for an authorization code using browser redirection
2. Exchange the authorization code for an access token (and optionally a refresh token) over a secure channel

For native apps, there are some situations where browser redirection may expose the redirected response to another party. See RFC 8252 for details, and note Section 8.1 which describes the problem that PKCE solves.

PKCE ensures that if the authorization code is exposed to another party, then that party cannot use the authorization code to obtain the access and refresh tokens.

The second step does not use browser redirection. Hence, the sensitive tokens returned cannot be exposed in the same way.

Since the refresh token is returned using a secure channel, it it is safe to use it to obtain a new access token without requiring the PKCE challenge and verify steps.