Why we don't support refresh tokens for the renewal of the digital credentials

[peppelinux]

1. The User authentication and consent is required for the issuance of a credential:
   • In OAuth 2.0 the refresh token is used without any user control
   • To request a new credential with loa high, eg: the PID, requires the user to be authenticated to the PID/EAA Provider
   • To store a PID/EAA to the secure storage, the user must be authenticated and give the consent
2. Security concerns: A stolen refresh token together with a brand new WIA and a PID/EAA "presentation" would be enough to steal a brand new PID

[Sakurann]

if the design is where access token is sender constrained and the DPoP key is cloud HSM protected, if the user sets up a PIN that needs to be typed to generate DPoP proof, that addresses 1, and if access token is sender constrained, that would mitigate 2. (but honestly if DPoP proof is cloud HSM protected and Wallet backend key for WIA as well and the attacker can steal both, that is a bigger problem and seems to be a no-go...)