The client request with a valid authCode an accessToken.
Expected behavior
The server checks if already a valid, not expired accessToken exists. If yes, this token would be sent. Otherwise a new token would be generated and send.
Actual behavior
The server generates everytime a new accessToken. So I have multiple valid tokens for the same client.
This is an issue because it defeats the purpose of rate limits which now must be made against user/client combo, making it harder to do with prebuilt solutions.
Scenario
The client request with a valid authCode an accessToken.
Expected behavior
The server checks if already a valid, not expired accessToken exists. If yes, this token would be sent. Otherwise a new token would be generated and send.
Actual behavior
The server generates everytime a new accessToken. So I have multiple valid tokens for the same client.
https://github.com/FriendsOfSymfony/oauth2-php/blob/a41fef63f81ef2ef632350a6c7dc66d15baa9240/lib/OAuth2.php#L861