[Etheryte]

This approach doesn't really solve anything. If you have expiration times that short you will need a mechanism for renewing tokens and a compromised token can be renewed all the same. All you have is slightly higher server load because your regular users need to renew their tokens all the time.

[sisve]

If your access token is compromised, you would normally need your refresh token to get a new access token? So it would increase security, but if you lose your refresh token, you def have the same problem.

Or am I missing some context?

[WirelessGigabit]

Depends. Some systems allow for access tokens to be extended, some don't.

We only use refresh tokens for mobile devices as those can be security stored.

Access token renewal is allowed for browsers for as long as we detect a valid session.

And that session cannot be extended. Every 8 hours it's back to the authentication page with your YubiKey.