This question is inspired by this answer and question
I also use that method to handle the case where users can sign in and out of multiple devices, by storing a per-device refresh token for a device id. I am making the assumption that various additional checks should be available to refresh token exchange: check IP for web apps, check device id for mobile apps, throttling etc.
I would have thought that OIDC somehow caters for the flows around multiple devices for a single user, but having tried to study the spec I can't say I see it. Basically, my question is, does OIDC implicitly or explicitly address this stuff? Am I reading it right there is no support for this and that to handle it a custom non-OIDC approach is necessary?
