A client error response for the refresh grant is assumed to be an
irrecoverable error; e.g. the refresh token is invalid, the
authorization is invalid, user is logged out, etc. In such cases we will
consider the session state to be invalid, and a new authorization grant
should be performed.
One of the changes in OAuth 2.1 addresses attacks with refresh token
replays by recommending the use of one-time use tokens. A refresh token
is thus rotated and invalid after exactly one use, returning a new token
for each successful grant. Any further attempts must thus use the most
recently acquired refresh token. Reusing a refresh token may also
cause the authorization server to invalidate the current active refresh
token, requiring a refresh authorization grant to be reacquired for
further refresh token usage.
The use of locks prevents multiple refresh grant attempts for a given
session from happening across concurrent requests.
