[Draft] Advanced OAuth 2.0: false positives in refresh token breach detection

OAuth 2.0 is a framework for authorization on the web, where a user can give one service (known as the client) access to data stored in another service (known as the resource server). The framework explains how to do a three-way "handshake" of sorts, where the user grants access via an authorization server and the client obtains an access token. The client then can use that access token to make authorized requests to the resource server. (A deeper explainer of OAuth 2.0 is beyond the scope of this article, but here's a really good explanation by Aaron Parecki.)

This article explores a specific edge case that can happen when OAuth 2.0 authorization servers use rotating refresh tokens to detect breaches.

What are refresh tokens?

TODO

Why rotate refresh tokens?

TODO

Where things go wrong: false positives

TODO

Mitigation for clients

TODO

Building better authorization servers

TODO