OAuth 2.0 BCP §4.14 Reuse Detection in Practice — Race vs Theft Disambiguation

The post discusses implementing OAuth 2.0 Security Best Current Practice (BCP) §4.14 for refresh token reuse detection to distinguish between benign races and token theft. It introduces the concept of a FamilyId to group rotated tokens, revoking the entire session if a previously rotated token reappears outside a short grace window. Challenges include balancing false positives from network delays against attack detection, as well as handling concurrency issues in multi-tab applications. The solution involves server-side checks, client-side error handling, and observability hooks for security alerts.