I am write a refresh access token rest api, now I facing a problem that I did not know what is the right way to handle the refresh invalid access token request. For example, when the access token not expired, the client request for a new access token. should I give a new access token? or give the old token? or give the token by the expire time, if the expire than greater than 1 hour give the legacy access token, less than 1 hour, give the new access token.
Yes, issue a new access token. This improves security and avoids token misuse. Access token rotation (even when they are not expired) is preferred whenever possible.
Further, this fully agree to OAuth 2.0 rfc.
If valid and authorized, the authorization server issues an access token as described in Section 5.1. If the request failed verification or is invalid, the authorization server returns an error response as described in Section 5.2.