Which statement about token revocation lists in OAuth/OIDC is accurate?

In OAuth/OIDC, managing the lifecycle of tokens hinges on their ability to be invalidated when needed. Access tokens are kept short-lived so misuse window is small, and clients obtain new ones via a refresh token. The refresh token, in turn, can be revoked to terminate ongoing access. A token revocation list is a mechanism for recording tokens that should no longer be accepted, so the authorization server can reject them even if they haven’t reached their natural expiry. Combining token rotation at renewal with revocable refresh tokens and a maintained revocation list provides a practical way to enforce logout, respond to suspected compromise, and control long‑term access. That’s why the statement describing tokens rotating on expiry, refresh tokens being revocable, and maintaining token revocation lists best captures the correct approach. The idea that tokens never rotate and cannot be revoked isn’t aligned with standard practices, nor is the notion that revocation lists are unnecessary just because tokens have short lifespans—short lifetimes don’t prevent the need to invalidate compromised tokens immediately. And revocation lists don’t have to be stored in plaintext; securing revocation data is important to prevent tampering.