OAuth 2.0 protocol says
"The authorization server MUST verify the binding between the refresh token and client identity whenever the client identity can be authenticated."
https://www.rfc-editor.org/rfc/rfc6749#section-10.4
I'm interested how they check the "refresh token - client binding" for Android and IOS apps? How do they know that the request came from the app that generated the refresh token and not some other app (this when the refresh token is presented in order to get a new access-token)?
What do you think is the best way to check "refresh token - client" binding ?
