…ired DefaultTokenServices detect when a refresh token is expired and replace it. The original fix only dealt with null refresh tokens. A better(?) solution is to detect an expired refresh token and replace it during the createAccessToken stage of authentication.
… authorization request
AuthorizationRequestFactory and ParametersValidator are combined into AuthorizationRequestManager and an extra method is added to updateBeforeApproval(AuthorizationRequest). This last can be used to deal with complex input from the approval process, like individual scopes that are denied.