I am thinking about the scenario where my login provider is using an external (or even multiple) identity providers and, in general, does not know what may happen to the user that has been successfully authenticated a while ago. And specifically about the scenario with the refresh token. Imagine that the access and refresh tokens have been issued, the user loses his/her device or gets fired from the company, or changes the password. With the refresh token, the user (or whoever steals the laptop) can still access the API for a while. Logically, the binding between the access token and identity should be broken as soon as possible. But I can’t find a way how to enforce it.
My understanding is that the login provider is not even called when refreshing the access token using refresh token, so I do not even have a potential hook to control the re-issuing of the new access token at this point.
Without the refresh token at least the silent renewal would not be possible - the identity provider would require the user to log in again since the session cookie would become invalid.
I am looking for the guidance on how to approach this problem.