The local storage is not a secure storage, and as such the refresh token should not be stored there. This issue is mitigated by the token being DPoP-bound, and the DPoP key not being available in storage.
This PR fixes bug #3518 .
[x] I've added a unit test to test for potential regressions of this bug.
[x] The changelog has been updated, if applicable.
The local storage is not a secure storage, and as such the refresh token should not be stored there. This issue is mitigated by the token being DPoP-bound, and the DPoP key not being available in storage.
This PR fixes bug #3518 .