And the refresh token will be passed through secure cookies. Is there any security issues with this implementation