Grace period incompatible with token rotation

[Maronato]

This has been discussed on #631, but I think the merged solution(#660) does not fix it.

From what I understand, the objective of the grace period is to allow clients to send another refresh_token request using the same refresh token and get the newly generated access token back every time during such period.

The problem with #660 is that it only makes sure the new access token is returned, not the new refresh token generated by the token rotation.

This means that all refresh_token requests made during the grace period will return the revoked refresh token instead of the new one generated during the first refresh_token request. As such, if the client loses the new refresh token returned during the first call, it won't be able to renew tokens anymore.

To illustrate, assume we have a pair of access-refresh(A1, R1) tokens that we want to refresh.
This is the current behavior:

First refresh

• R1 is sent to /o/token/
• R1 is revoked
• /o/token/ returns a pair (A2, R2) of new access and refresh tokens (per token rotation)

Second refresh (during grace period)

• R1 is sent to /o/token/
• R1 is already revoked
• /o/token/ returns a pair (A2, R1) of the new access token and the old, revoked refresh token

Shouldn't the second refresh call return (A2, R2)? Is this the desired behavior?
If not, I already have a fix and will create a pull request.

[auvipy]

please create a PR and let's discuss there