Clarification: Is the original access token in the header when requesting refresh token?

[TheDuckGoesQuark]

Which scenario is correct:

1:

User has authenticated and recieved token. Users token is about to expire, so they request a new one. POST to oauth/token with "refresh_token" grant type, and corresponding refresh token, with "bearer " + access_token in header Returns completely new token with new access_token/refresh_token fields

2:

User has authenticated and recieved token. Users token is about to expire OR has expired, so they request a new one. POST to oauth/token with "refresh_token" grant type, and corresponding refresh token, no headers. Returns completely new token with new access_token/refresh_token fields

3:

Same as 2 but Returns new token where access_token = previous refresh_token, and refresh_token is renewed.

[magnostherobot]

From Protocol BE01 (italic emphasis mine):

Requests MUST be of the form

grant_type=refresh_token
refresh_token=<refresh_token>

where refresh_token is a token that previously appeared in a server response and is still under its validity period.

The refresh_token must be within its validity period, which means the corresponding access_token is also still valid (italic emphasis mine):

the expires_in field gives the validity period of the tokens, _it applies to both the access_token and the refresh_token_, it is specified in seconds and SHOULD be at least 6 hours.

This means that neither of the user's tokens can have expired when requesting a refresh, so options 2 and 3 cannot be correct. Option 1 is almost correct: the "completely new token"/"new access_token/refresh_token fields" may be the same tokens as the previous ones:

The server MAY reuse the access_token or refresh_token but if it does so it MUST ensure that the validity of the new tokens extend to match the new expiry time.

From what I can see, there is nothing in BE01.md stating that an Authorisation field is necessary for refreshing tokens.