For a given user account on a customer's tenant, we followed the Microsoft Azure on-behalf-of procedure to grant Microsoft Graph permissions, including the offline_access scope, to our Web Application. We were then provided an access token and a refresh token. The user gave permission only once.
Everything went smoothly from then, for several months, then out of the blue we received an alert that the refresh token had expired after the 90-day inactivity period. Note that the refresh token was used within this window and for longer than 90 days.
Do you know why this happened? Is there a way to make a refresh token never expire, and if so, is that set on our side (Azure application) or on the customer's side?
What I do not understand is that we are theoretically in the "Token lifetime with confidential client refresh tokens" scenario described here (though I don't know how to check whether we are considered as a confidential client or not)
Note that unlike in this question, I have made sure that the refresh token is replaced with the new refresh token when making calls to https://login.microsoftonline.com/common/oauth2/v2.0/token
