I want to understand how the usage of a refresh token works. I am posting a request to the /oauth/token endpoint, with a grant type of ‘refresh_token’, for which I get a new access token as well as a new refresh token. This I see, invalidates the previous refresh token from requesting for additional access tokens. Can someone explain to me a use case of such a mechanism for the refresh token? Is there no grant type by which I can only get a new access token?
I was of the assumption that, since the refresh token is long lived, that we store it securely and use it to fetch new access tokens as required, from the same refresh token, until it expires. I might be missing something in terms of understanding, so some explanation on this would be appreciated.