@phi1ipp I just tested this and found that a new refresh token was never issued. This behavior was confirmed by @vijet here as well.
So in that case the absolute timeout is tied to the refresh token lifetime set on the authorization server. You can choose an idle timeout by setting the “expire if not used” time on the authorization server to be something between the access token lifetime and the refresh token lifetime.
When the refresh token expires, you will be forced to hit /authorize which requires an active Okta browser Session.