When doing a bearer token refresh, I notice the server returns a new refresh token as well - in order to refresh again, I need to send the new refresh token. If I send the old one I get an “invalid_request” response. Is this supposed to be done this way? It seems overkill to have both the bearer and refresh tokens reset.
If for some reason I fail to save the refresh token (maybe an exception gets thrown as I handle the new data, before I can persist it), I will be permanently locked out of refreshing, and the user will have to go through the authorization flow again. It also doesn’t help that the error message (invalid_request) is vague - should I force the user to re-authorize on all invalid_request errors?