How many refresh tokens Google API issues for a given client/user combination?

Question

I'm migrating an installed application to OAuth2 and came across this paragraph:

Note that there are limits on the number of refresh tokens that will be issued; one limit per client/user combination, and another per user across all clients. You should save refresh tokens in long-term storage and continue to use them as long as they remain valid. If your application requests too many refresh tokens, it may run into these limits, in which case older refresh tokens will stop working.

The app, as advised, is storing the refresh tokens but the user could request multiple refresh tokens by using it on multiple devices. I would like to know:

• What's the client/user combination limit?

• Which client_id refresh token gets revoked if the user goes over the "across all clients" limit?

• A given refresh token will never expire unless the user goes over these limits or revokes it?

Thank you in advance for your help.

Answer 1

the limit is officially 25.

https://developers.google.com/accounts/docs/OAuth2#expiration

There is currently a 25-token limit per Google user account. 
If a user account has 25 valid tokens, the next authentication request succeeds, 
but quietly invalidates the oldest outstanding token 
without any user-visible warning.

Answer 2

the actual number is not in public domain. it might be service specific and can change from time to time. ref:https://developers.google.com/analytics/devguides/config/mgmt/v3/mgmtAuthorization#helpme

from what i understand if the number can be as low as 25 then the moment a user logs in from 26th machine, the account at 1st machine is invalidated.

it would be a better idea to store the refresh tokens in a database over network.