I am trying to understand the token abuse scenarios in OpenID/OAuth 2.0 context.
In the grant_type=authorization_code
scenario, the access token and the refresh token are available to a client app after successful user authorization. Token refresh makes it easy for client app to keep using the user resource for a practically infinite amount of time.
Is it possible to limit the use of the access and refresh tokens by client app? Scenario: a user would like to authorize client app access to the resource for only until he closes the browser. The tokens should be invalidated after that.