In an ASP.NET Core application we are building we are using OpenID Connect Hybrid flow. From the Identity Server documentation: Access tokens are a bit more sensitive than identity tokens, and we don’t want to expose them to the “outside” world if not needed. OpenID Connect includes a flow called “Hybrid Flow” which gives us the best of both worlds, the identity token is transmitted via the browser channel, so the client can validate it before doing any more work. And if validation is successful, the client opens a back-channel to the token service to retrieve the access token. On our ASP.NET Core backend we use the acquired access token to call another API. However as an access token typically has a short lifetime, this only works until the access token is expired. To refresh our access token, we can use a refresh token to acquire a new access token from our Security Token Service. After trying multiple possible solutions, I ended up with an implementation where I use...