Using a revoked DCF refresh token kills the connection between user and app

[thedist]

Brief description When using the Refresh Tokens endpoint with a refresh token from the DCF, the new tokens work as expected, and as the documentation states the old access/refresh tokens are revoked. The issue is that if the old refresh token that was revoked is used again in the Refresh Tokens endpoint it will kill the connection between the user and app, revoking all valid tokens and EventSub subscriptions.

How to reproduce

1. Create a Public app
2. Have a user go through the Device Code Flow and get an access token and refresh token
3. Use the refresh token with the Refresh Tokens endpoint to get a new pair of tokens.
4. Use the same refresh token as previously used to attempt to refresh a 2nd time.
5. All connection between user and app is killed. User has to go through the DCF again to get tokens again.

Expected behavior Based on current documentation, I expect the old tokens to be revoked so step 4. of the reproduction steps should just return an Invalid refresh token error, it should not also kill the connection to the app and require the user to go through the DCF again.

Additional context or questions RFC 8628 OAuth 2.0 Device Authorization Grant Does not contain anything specific to DCF when it comes to refreshing tokens. RFC 6749 The OAuth 2.0 Authorization Framework Does go over the specification of refreshing tokens, and while it says the auth server MAY revoke the old refresh token it does not mention killing a connection between app and user if a revoked refresh token was attempted to be used a 2nd time.