But on the other hand under users there is a tab called devices, where it shows refresh token and option to unlink refresh tokens and then user will be forced to relogin.
Can you please explain how it is different than revoking a token . Also we are working on a Native Mobile App. And we tried unlinking refresh token. But it didn’t force user to logout till its allready issued token didn’t get expired.
So how unlinking functionality work?
Thanks for pointing this out. I think there is some confusing information in this doc, as refresh tokens can in fact be revoked. Access tokens and Id tokens on the other hand cannot.
I will let the docs team know there is some confusion here.
Thanks Dan.
So in our native App , i tried to revoke refresh token. what should be the expected behaviour. will it let access token or ID token get refreshed (sliding token expiration) on any action or activity or it will force user to relogin ?
Access tokens and ID tokens are valid until they expire. They cannot be revoked.
The native app should be able to use those two tokens until they expire then the user will need to reauthorize the app to get a new refresh token. The behavior will depend on how you set up the app or what SDK you are using. You can have it inform the user, or just force a login, but they will not be able to use the refresh token after it is expired, it will not be accepted.