@rakeshapi ,

Regarding ,

1) How can we assure that Oauth client secret is safe. For a pure JS web app, it cannot be stored in the client since as it becomes a public value . For an android mobile app, it can be retrieved by decompiling the app binary.

• If it's pure JS Web APP, Obviously you should not save client secret. That means you cannot use grant types like Client Credentials. You need to use Implicit Grant Type where you don't need client secret.
• Regarding, Android App, Above concept still applies. You can use grant types like resource owner password credentials in trusted apps scenario.
  

2) We have to use refresh token to keep extending the “session” time of the active user . How do we avoid the token replay issue. if clientid and refresh token are shared , then we would be issuing access tokens without any validation (like 2FA). What kind of client binding can be done to the refresh token to ensure that access tokens are only provided in the same session and to the same client.

• This is where token attributes play an important role. You will verify request param like username with access token attribute & then allow access. That means if tokens are compromised only that particular user info is compromised but not others.
• You will store tokens in Android & IOS secure private storages. For more info, http://stackoverflow.com/questions/10161266/how-to-securely-store-access-token-and-secret-in-android , http://stackoverflow.com/questions/5793128/access-tokens-persistence-best-practices-ios

Hope it helps.