Dear Auth0 Community,
I have been learning how Auth0 works in order to evaluate if and how I can implement it in my softwares.
I have a little doubt about Refresh Tokens.
We know that Refresh Tokens are long-lived (as it is stated here https://auth0.com/learn/refresh-tokens/ ) so we must keep them safe. So, one Client (a mobile app, a web app, etc.) generates inside Auth0 one Refresh Token for each user it authenticates? I mean, if the Refresh Token is stolen from the Client, it can´t be used with another client id and client secret (from another application), right? I know there are a lot of ways to configure Auth0 through Rules, Connections, etc. but, in general terms and if it´s configured well that Refresh Token will be only valid for that client with that user, but not for another user or another Client (application), right? I think that the answer is a clear “yes” but I want to know if I´m understanding everything well.
Thank you very much for your help and have a nice day!