After the LTT fiasco where a session token was used to access the yt account, it's worth looking into restricting refreshing a token based on ip address. Initial idea: hash ip address when logging in and store it with the grant. The grant can then only be used to refresh if the ip address matches. Should check how mobile networks handle this, because otherwise maybe there should be a location lookup and only allow refreshing within a certain range.
After the LTT fiasco where a session token was used to access the yt account, it's worth looking into restricting refreshing a token based on ip address. Initial idea: hash ip address when logging in and store it with the grant. The grant can then only be used to refresh if the ip address matches. Should check how mobile networks handle this, because otherwise maybe there should be a location lookup and only allow refreshing within a certain range.