I have an authorization server that provides me an access token with a refresh token too.
I can get a protected resource with an access token like the typical Oauth2 flow explain and I can get new access tokens through refresh token. At this point, all is ok.
However, I can get a protected resource with the refresh token too! Is it normal in Oauth2? has the refresh token both behaviors?
Thanks
That is not normal and defeats the point of having two tokens in the first place since they both end up in the same places. The access token is something that is used between client and protected resource. The refresh token is something that is to be used between client and authorization server only. It should not be known outside of those two parties so should not end up at the resource server.
But it is really the client implementation that is wrong here since even if the refresh token could get you access to the protected resource, the client is not supposed to do that.
