Revoke refresh token after password expiration?

Hi, on my flutter app I save the refresh token Once I log in to Okta via the browser that opens from my app.
I set an expiration time for my password and it is indeed expired by the refresh token is persisted to a local safe storage and used in order to gain a new id token next time. I was surprised to see that although the password is expired, the refresh token is still valid.
How can I make sure that the refresh token is not valid anymore and that a new password should be set?
Thanks

The refresh token validity is completely separate from the user’s session or any other lifetimes. If you want this token to be revoked when a certain event happens, you would need to revoke the token(s) manually yourself.

You can either revoke each refresh token manually, using the revocation endpoint for the authorization server used, or revoke ALL refresh tokens issued to a given user.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.