When I refresh an OAuth access token A, I get an new access token B. But A is still valid, I can still use it.
Shouldn't the old access token be invalidated by the refresh operation? If not, if it's "by design", could someone give me details about why?
Note: using Symfony with the FOSOAuthServerBundle bundle.
The RFC6749 section 1.5 indicates that:
Refresh tokens are issued to the client by the authorization server and are used to obtain [...] additional access tokens with identical or narrower scope
As far as I understand, the access token A may be still valid when an access token B is issued with the refreh token.
