Yes, the refresh_token last until the user revoke it, If it’s not used for 1 month it will also be revoked. There is also SSO endpoints to revoke a refresh token that you can use if the user decide to delete the account at your site.
Reading the entire SSO documentation is a great way to understand all of it. If you do not, you’re much better off using a library for it, as it’s possible to make mistakes that make the code unsafe (not using state etc.)