With OpenIdConnect, when the access_token expires, I use the refresh token to get a new one, and in the response I also have a new refresh token (the first used is revoked).
But it seem it doesn’t work like this with auth0 : the refresh token never expires.
how can I force the generation of a new refresh token when after I called the /oauth/token endpoint with grant_type=refresh token ?
Auth0 handles token revocation as though the token has been potentially exposed to malicious adversaries. Therefore, each revocation request invalidates not only the specific token, but all other tokens based on the same authorization grant. This means that all Refresh Tokens that have been issued for the same user, application, and audience will be revoked .\
This may cause some complications with revoking every token that you use.
We don’t have documentation on how to determine if a refresh token is stolen because there are instances where it wouldn’t be possible to determine such a thing. If you are not following the guidelines described in the document I linked previously, then I would suggest making the changes.