Thanks for the question @fredycorts7, and welcome to the Auth0 Community forums!
Your analysis of the scenario is correct; if the legitimate client does not use their refresh token for a while, and the token is stolen and used, then it’s difficult to detect that and mitigate against it. It’s important to realise that, while Reuse Detection increases the chance of detecting malicious use, it’s not a silver bullet for protecting against it as you’ve described in your scenario. The only real bullet-proof mitigation here involves the use of sender-constrained tokens, which is not something we have right at the moment.
One thing to do right now to help is ensure that your application is mitigated in the best way possible from XSS attacks from being successful in the first instance:
- Keep the amount of third-party JavaScript being used to a minimum, and only from trusted sources
- Use as short an expiry time on your access tokens as is practical
Hope that helps!