From what I can find, the OAuth2 spec makes no mention of refreshing a session with the refresh token, and limits the token’s scope to fetching a new access token.
I can also clarify my initial response: There are multiple layers of sessions happening, and even the though the Auth0 Session has expired does not immediately result in the Application Session expiring.
For example: A refresh token can be used to retrieve access tokens for the configured time period, even when the Auth0 Session Layer has expired. This would essentially allow the (native) application to retrieve tokens and continue the Application Session even when the Auth0 Session has reached it’s limit. The Session Lifetime settings are separate from the Refresh Token Lifetimes. This FAQ illustrates it: Inactivity Expiration with Refresh Token
We also offer a Long Lived Sessions feature with enterprise subscriptions. This feature allows you to configure your Auth0 session to inactivity timeouts of up to 100 days.