wondering if anyone could help me What I know about the relationship between biometric authentication and refresh token is as follow: After the user finishes signing in, I receive tokens from the server, I store the refresh token in local storage with a biometric requirement. To use this refresh token to get a new pair of access token and refresh token, the user need to pass a biometric challenge (Face ID, Touch ID,…). If successful, the client will take this refresh token to get a new pair of access token and refresh token. The old refresh token stored will be altered by the new one in order to get another access token.
The question is: If access token expires when the user is using the app and the refresh token is still locked in local storage, does the user need to pass another biometric challenge to continue accessing resources?
The most usual option is to only involve the user to provide biometrics during the authentication workflow. An example might be to use WebAuthn as a second authentication factor. When dealing with the user's own assets you might then show a consent screen to allow the user to approve the application's access.
Sometimes, operating system mechanisms to prompt the user for biometrics are also possible, when dealing with secrets. I would avoid prompting the user about tokens though, since it is likely to confuse them. Storing refresh tokens in a secure encrypted HTTP-only cookie is a mainstream, secure and user friendly option.