I understand that Access Tokens are short-lived because they are verified without hitting the database, whereas Refresh Tokens are long-lived and are verified against the database.
What I don't understand is why there's a difference between getting an Access Token initially by sending an Authorization Grant, and later by sending a Refresh Token.
Looking at this diagram from RFC 6749, why doesn't the client simply resend the Authorization Grant in step (G)? Why is a refresh token ever necessary?
+--------+ +---------------+
| |--(A)------- Authorization Grant --------->| |
| | | |
| |<-(B)----------- Access Token -------------| |
| | & Refresh Token | |
| | | |
| | +----------+ | |
| |--(C)---- Access Token ---->| | | |
| | | | | |
| |<-(D)- Protected Resource --| Resource | | Authorization |
| Client | | Server | | Server |
| |--(E)---- Access Token ---->| | | |
| | | | | |
| |<-(F)- Invalid Token Error -| | | |
| | +----------+ | |
| | | |
| |--(G)----------- Refresh Token ----------->| |
| | | |
| |<-(H)----------- Access Token -------------| |
+--------+ & Optional Refresh Token +---------------+