Is it a good idea to keep a hard expiration limit, say 30 days, on a refresh token and not issue a new one every time a new access token is requested, such that, when the refresh token has expired, it forces re-authentication?
This depends on the use case and business requirements.
Sure. But, do you see any pitfalls to that approach? For example, what if the client is in middle of some work, access token expires, they try to get a new access token and now find that refresh token has also expired and now they need to re-authenticate, and potentially losing current context on client side. would it be better to have some warning to client about upcoming expiration, say... if current time = refresh token expiration time minus 2 or 3 times the access token expiration time, then warn client on issue access token request.
So... the logic keeps getting "custom", and not something out of the box. I'm looking for what does CA recommend if the business requirement is for a hard limit on refresh token max lifetime.
I think there is no such warning mechanism in typical oauth flows.
You can change the expire time as per your business needs, the shorter, the more secure, but less convenient for end user.
The default 7 days for refresh token should be long enough. 30 days ... might not be a good idea.