Add security consideration on refresh tokens?

Based on discussion with Brian - should we give guidance on refresh tokens?

We should only add anything if there is new information. Currently it is not clear that we should. RFC 7521 already defines this. 

"Implementation of this specification should treat refresh tokens in accordance with RFC 7521"