只发出未到期的访问令牌，而忽略整个刷新令牌部分，是否可以？出于安全性考虑，刷新令牌和非到期访问令牌是对授权服务器的另一次呼叫。

The difference between a refresh token and a non-expiring access token in means of security is one additional call to the authorization server.

如果攻击者获得了对您的未到期令牌的访问权限访问令牌，他可以直接调用您的资源服务器并获取机密数据作为响应。

现在，如果他窃取了您的刷新令牌，则他首先必须致电授权服务器并接收访问令牌作为响应。然后他可以向资源服务器查询机密数据。

If an attacker gains access to your non-expiring access token, he can directly call your resource server and get confidential data as response.
Now if he steals your refresh token, he first has to call the authorization server and receive an access token in response. Then he can query the resource server for confidential data.

每次使用刷新令牌（OAuth 2规范）从您的授权服务器请求访问令牌时（至少目前的最新草案）要求服务器检查客户端身份以及是否与令牌绑定，

Each time an access token is requested from your authorization server using a refresh token, the OAuth 2 specification (at least the latest draft for now) requires the server to check the client identity and if it is bound to the token, if possible.

由于使用客户端机密的常规方法无法在开放平台上明确标识已安装的应用程序，因此运行该应用程序的平台必须提供方法做这个。谷歌例如需要开发人员对Android应用程序进行签名。因此，当使用 Google API控制台请求Android应用程序的凭据时，您必须指定您用于在应用程序上签名的证书的指纹，并且只会获得客户端ID，但不会得到任何秘密。在发行令牌时，Google可以决定开发者是否授权该应用程序以其名义请求令牌。

As the normal approach with a client secret does not work to definitly identify an installed application on an open platform, the platform running the application has to provide methods to do this. Google e.g. requires Android applications to be signed by the developer. When requesting credentials for an Android application using the Google API Console, you therefore have to specify the fingerprint of the certificate you used for signing the application and only get a client ID, but no secret in response. On issuing tokens, Google can then decide if the application was authorized by the developer to request tokens in his name.

如果您确实无法验证客户端身份，它将在某些情况下，至少有可能认识到刷新令牌已被盗。规范中有一个示例：

If you definitly can't verify the client identity, it is at least possible in some cases to recognize that a refresh token was stolen. The specification has an example for this:

当无法进行客户端身份验证时，授权服务器应该部署其他方法来检测刷新令牌滥用。

When client authentication is not possible, the authorization server SHOULD deploy other means to detect refresh token abuse.

例如，授权服务器可以采用刷新令牌轮换，其中在每个访问令牌刷新响应中发出新的刷新令牌。先前的刷新令牌无效，但由授权服务器保留。如果刷新令牌被破坏并随后被攻击者和合法客户端使用，则攻击者和合法客户端中的一个将提供无效的刷新令牌，该令牌将告知违规授权服务器。

For example, the authorization server could employ refresh token rotation in which a new refresh token is issued with every access token refresh response. The previous refresh token is invalidated but retained by the authorization server. If a refresh token is compromised and subsequently used by both the attacker and the legitimate client, one of them will present an invalidated refresh token, which will inform the authorization server of the breach.