In this article (https://auth0.com/blog/oauth2-implicit-grant-and-spa/) Vittorio wites, “Either way: I personally know of only two products supporting refresh token rotation as of today. Neither Microsoft, Google, nor Auth0 offer it at the moment.”
In this Auth0 documentation (https://auth0.com/docs/flows/concepts/auth-code-pkce) it talks Auth0’s ability to handle refresh tokens:
If you have Refresh Token Rotation enabled, a new Refresh Token is generated with each request and issued along with the Access Token. When a Refresh Token is exchanged, the previous Refresh Token is invalidated but information about the relationship is retained by the authorization server.
Should there be a note in that older article saying things have changed, or am I missing something? It’s quite confusing to read one thing and then read another from the same vendor (you really have to pay attention to dates).