What's the point of refresh tokens without Refresh Token Rotation?
I've read a few articles on the matter, such as https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/#What-Is-a-Refresh-Token- and https://auth0.com/blog/achieving-a-seamless-user-experience-with-refresh-token-inactivity-lifetimes/.
As I see it, anywhere the client could store a refresh token, it could also store a long lived access token, so it can be attacked in the same way, and since the refresh token issues infinite access tokens (without rotation), it essentially holds the same power as a long lived access token.
Also, the same conditions and operations for invalidating a refresh token could be applied to invalidating access tokens.
With Refresh Token Rotation, I see the point, it greatly reduces the surface.
Is it the point of it without RTR as well? Reducing the surface of attack, since access tokens are sent with every request, whereas refresh tokens are only sent once every [access_token_expiration_time] ?
