We have a native app that uses refresh tokens with PKCE. It fairly regularly works. However, there are times when we get an “Invalid Refresh Token” error back, which results in an HTTP 403 error.
Can someone explain how/why this would happen? I can confirm that the refresh token sent is not revoked. As a sample, based on our logs it looks like we have seen this 13 times in the past 10 days, and have seen a successful exchange 1300 times.
Would Auth0 consider a refresh token invalid if someone logged in with the same account and got a more recent refresh token, for example? If a person has 2 devices and one account, would the latest refresh token be the only valid one?