[ABCA] Implement Refresh Token Binding #201
Description
Description
This is a proxy of:
Bind refresh tokens to the client instance key used for attestation.
Potential considerations
- On token issuance, bind refresh token to cnf.jwk public key
- On refresh request, verify the same key is used
- Reject refresh requests from mismatched keys with invalid_client_attestation
- Ensure PoP + Attestation validation applies to refresh flows
- Add necessary fields to token/session model
estimated time: 2–3 days