I have an OAuth2 server built with django-oauth-toolkit, and by default, refresh tokens are revoked immediately upon use. This means that if a client requests a new access token using a refresh token but doesn't receive the response due to a network interruption they will be forced to reauthenticate.
The library provides the setting REFRESH_TOKEN_GRACE_PERIOD_SECONDS which is an amount of time to wait between the use of a refresh token and its revocation. If a client uses a refresh token and does not receive the response, that original refresh token will still be valid for REFRESH_TOKEN_GRACE_PERIOD_SECONDS which allows the client to get a new access token without needing to reauthenticate.
As far as I can tell, the purpose of immediately revoking refresh tokens upon use is to prevent replay attacks, but since this authorization server exclusively uses https, it seems this is a sufficient defense against this type of attack.
Are there other vulnerabilities that can result from having a grace period for refresh token revocation? What would be the implications of never revoking a refresh token?
