I am fairly new to the whole authentication/authorization mechanism with OAuth APIs. The documentation says that refresh tokens are valid for 15 years and I don’t see a way to revoke them which makes me wonder about the security implications.
Is it possible to have more than one valid refresh token or does any subsequent generated token invalidate all previous?
What protections prevent misuse of a compromised refresh token if it doesn’t end up getting used by the application?
I believe the documentation also said that refresh tokens must be used for all subsequent access token requests, but what happens in the case where the refresh token is lost or you don’t have secured persistent memory? Would you go through the whole authorization process again?