...

A refresh_token is valid indefinitely until revoked. A revocation endpoint is provided for invalidating the refresh_token.

Relying Party considerations

Because OAuth authorization requests are unsigned, values contained in the request can be verified by the SSO server. It is important that the response received is verified by the application to ensure it meets the requirements of the request.

...