Oauth2 refresh_token is also generating new instead of using existing

Question

I have setup this bundle https://github.com/thephpleague/oauth2-server-bundle to implement Oauth2 authentication.

It works perfectly for access token generation and refresh token generation with expiry time.

But when I generate new access token using grant_type = refresh_token, it also generates new refresh token and make older one to invalid. So in this case refresh token never been expired as it generated new tokens and user will never be logout.

Answer 1

I think it's not bundle/library "issue". As a matter of fact it isn't an issue at all. That's because (quoting the RFC)

The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client.

So it depends on authorization server and its issuing politics.