Foreword
All the content here is to the best of my understanding. However, since this relates to security, don't use this as a definitive reference.
...
Importantly (from the link above, verbatim) "If a previously used refresh token is used again with the token request, the Authorization Server automatically detects the attempted reuse of the refresh token. As a result, Okta immediately invalidates the most recently issued refresh token and all access tokens issued since the user authenticated. This protects your application from token compromise and replay attacks."
Using Okta to manage sessions
...
* Bizarrely, the returned token does include an access a refresh token, but with an expiry time the same as the access token, and never used by the user client. I may be misunderstanding something in the code, but this has baffled me since I first looked into it.
...