I'm implementing oauth2 authorization server.
When consuming oauth2 exchange refresh token to access token (rfc6749), my client - a mobile app having trouble in implementing interceptor (because of many reason).
As before that my client perform token exchange flow (rfc8693) and the access token is stored in database, so I decide to return CURRENT access token (ONLY if it's still valid) instead of issuing a new access token every time receiving refresh token.
The lifetime of access token is short (about 5 minutes) and user can revoke both access token and refresh token.
But this decision is against rfc6749, which state new access token:
The authorization server authenticates the client and validates the refresh token, and if valid, issues a new access token (and, optionally, a new refresh token)
I'm wondering if this decision could lead to any issues?