We have many different organizations using our integration with Box.  All of them except for one obtains and uses OAuth refresh tokens, all day, every day.

One organization in particular is complaining about "losing their connection" with Box.  The scenario is that the user has not used their OAuth connection in over an hour, so the OAuth token is expired;  we use the refresh token to obtain a new OAuth token (and new refresh token), but the request fails with the error; "invalid grant"  "Invalid refresh token" 

It hasn't been 60 days, so that's not the error (that error reports "timeout" which is not what we're seeing.    It's not an attempt to use the same refresh token more than once (we've eliminated that possibility).

In other OAuth systems, I know that if the user changes his password that it will invalidate any outstanding OAuth refresh tokens.  Could this be the case here?   Are there any other cases in which would cause an OAuth refresh token to become invalid?