we have Refresh Token Rotation enabled and reuse interval set to 0.
the scenario is when we remove SMS MFA and purposely call to refresh token, that call now sends us a response where refresh token is invalid. does it have something to do with the SMS MFA being removed? (i just simplified the scenario stated here from the issue we are facing but its something similar)
let me know if this needs more details
Welcome to the Auth0 Community!
The behaviour that you’re experiencing is expected, as the token is created at the moment of authentication and it contains details about the user - including the existence of the SMS MFA. If this is removed, the token itself does not expire, but Auth0 treats this event as a potential security risk and revokes the token. This can be viewed similarly to events such as the user changing it’s password, after which they are no longer able to use their existing/previous token in order to authenticate.
Depending on what you wish to accomplish next, you can implement logic within your application so that, when an invalid token is received, the user’s session is no longer valid and it forces re-authentication.
The following documentations can provider more useful information on this matter if needed:
Hope this helped!
Gerald