I read the docs from here https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/ that tell me, when we refresh the access token, we pass the grant_type and refresh_token parameter. how about refresh the refresh token? also pass the two parameter with refresh_token and grant_type? I did not found the refresh refresh token standard to show that how to refresh the refresh token. or we should not refresh the refresh token at all. Just let the user login again?
Refresh tokens are typically longer-lived so one can use them to request new access tokens after the shorter-lived access tokens expire, but this bring one concern about the safety of refresh token as it give enough power to
the holder to get a new access token to access the protected resouces anytime. The concern can be addressed to certain extent by rotating the refresh tokens. Refresh token rotation guarantees that every time an application exchanges a refresh token to get a new access token, a new refresh token is also returned. Therefore, you no longer have a long-lived refresh token that could provide illegitimate access to resources if it ever becomes compromised. The threat of illegitimate access is reduced as refresh tokens are continually exchanged and invalidated.
Is refresh the refresh token and refresh the access token pass the same parameter?
The outcome depends on the authorization server policies that whether it should return a same or new refresh token while refreshing a access token.