Yes. A user can have one-to-many refresh tokens per application.
Yes. You can use the Authorization Code grant with cookies. Here is a workflow diagram of this: https://fusionauth.io/learn/expert-advice/authentication/webapp/oauth-authorization-code-grant-jwts-refresh-tokens-cookies/
No, this isn't currently possible.
I think that would fall into the threat detection bucket of features we are planning. Feel free to add any notes, comments or suggestions here: https://github.com/FusionAuth/fusionauth-issues/issues/905
@dan Thank you for your support. Fixing the signature just saved me another couple of hours (also coming from https://fusionauth.io/blog/2020/07/14/django-and-oauth/) ^^
Sorry, I pointed you to the incorrect setting.
You can go to Applications > FusionAuth > Edit > JWT > Refresh Token duration
Changing that to 1 (the value is in minutes) caused me to be signed out of the admin application after 60 seconds.
Hope that helps.