Unfortunately I’ve had to submit a third question on this topic. If topics were left open for continued discussion that may be beneficial for the community.
As noted in this question, there are situations where revoking a refresh token will make other refresh tokens also become invalid. Is there any alternative that will allow making a refresh token invalid without deleting all the same grants behind the scenes (thus revoking ALL refresh tokens)? Surely we’ve all used features / tools like gmail that allows perpetual logins, and logging out does not log out all users of that account. I’m trying to do the same with Auth0. Refresh tokens get part of the way, but I need the ability to revoke a refresh token while allowing other refresh tokens to remain valid.
@nicolas_sabena - would you have any insight?