and we found the token revocation policy is so clear : if a user changes their password, then they may have to re-authenticate. BUT we tested again and again, looks like this policy is not work for us: The original access_token and refresh_token can still use without any error. Does it make sense? Or anything we missed?
We tested in this way. Let's see if there are any problems.
The first time user login to the application, they enter their credential, and the application obtain the access_token to access the resource.
The application save the access_token, and Use this information directly in the next request.
When the access_token expired, the application use the refresh_token to obtain an new access_token
Users may modify their passwords for a variety of reasons, We expect the original token to be revoked automatically and prompt use to re-authenticate next time
Last time I played with this, only synced/federated users' tokens were affected by password changes, and by tokens I mean only the refresh tokens. For synced users, password changes didn't invalidate tokens, admin password resets did though. Things might have changed since though.