Hm, not specifically. OAuth2 specifications and documentation sort of address the motivation for Refresh Tokens at least (and are widely written about in blog posts etc) - and I think the security recommendations documents now strongly push for Refresh Tokens. For the benefit of automated refresh one could also pull the Let's Encrypt arguments as "similar enough" and widely recognized as good practice.
detaro|4 years ago