Does the OIDC refresh token need any permanent cache?

[Jim Fox]

>       Does the refresh token carry within it enough information for the IdP to issue a new id token?  Or is
>       there a permanent cache needed somewhere?
> 
> Yes: all the needed information is encoded inside the refresh_token (which is encrypted via data sealer). Depending
> on your attribute-resolver configuration, also the attribute/claim values might be included [1].
> 
> There’s no need (actually not even support at the moment) for any server-side cache/storage regarding them.

The revocation cache is maintained in server-side storage.  So revocation at one host would still allow refresh tokens to be used on other hosts. Correct?
If so, is there a way for me to, via a hook or something, to intercept a refresh request and deny it if the subject was in a local "do not refresh" list - a list that I would maintain by other means?

Jim