When developing web services, you may need to get tokens using the OAuth 2.0 On-Behalf-Of (OBO) flow. The OBO flow serves the use case where an application invokes a service or web API, which in turn needs to call another service or web API. OBO propagates the delegated user identity and permissions through the request chain. When an application needs to use access and refresh tokens indefinitely, typically in offline access scenarios, it's critical to store the refresh tokens securely.
https://learn.microsoft.com/en-us/azure/architecture/example-scenario/secrets/secure-refresh-tokens
