Problem Statement
What happens when a user exceeds the limit of refresh tokens for an application? Will it have any impact on their session and the application’s issuance of new tokens to the user?
Solution
When enforcing the refresh token limits, our service will periodically scan applications. When a user has exceeded the limit of refresh tokens for the application, the service will expire the excess tokens on an oldest-first basis.
This means your application can still issue new refresh tokens to a user who is exceeding the limit, but the oldest tokens will be removed to retain the limit.
An application exchanging any of the last 200 tokens will be unaffected. So unless your application is for some reason retaining much older refresh tokens that it intends to re-use in favor of newer ones, there should be no change in behavior from a user’s perspective.
The user’s session in Auth0 will remain untouched and the last 200 refresh tokens issued will still be valid. So the application can issue a new token normally without the user needing to re-authenticate.