REFRESH_TOKEN_GRACE_PERIOD_SECONDS Bypasses Refresh Token Reuse Protection (RT-Rotation)

[nickgiegerich]

Describe the bug
Utilizing REFRESH_TOKEN_GRACE_PERIOD_SECONDS allows refresh tokens that have been used multiple times down the rotation chain (i.e., tokens that are several generations old) to be validated and successfully redeemed within the defined grace period. This effectively overrides the intended refresh token reuse protection mechanism.

To Reproduce

1. Set REFRESH_TOKEN_GRACE_PERIOD_SECONDS to an arbitrary number (e.g., 1000 seconds)
2. Mock an authorization code exchange and create an initial set of tokens (A1 and R1).
3. Utilize R1 to obtain a fresh set of tokens (A2 and R2).
4. Utilize R2 to obtain another fresh set of tokens (A3 and R3).
5. Use the initial token R1 again within the REFRESH_TOKEN_GRACE_PERIOD_SECONDS window.
6. Observe that new tokens are returned for R1, which should have been revoked upon the issuance of R2.

Expected behavior
The REFRESH_TOKEN_GRACE_PERIOD_SECONDS setting should only apply to the immediately preceding refresh token to handle race conditions. It should not extend the validity of tokens that are multiple steps down the rotation chain (e.g., R1 should be instantly invalid after R3 is issued, regardless of the grace period).

Version
3.0.1

• [ x] I have tested with the latest published release and it's still a problem.
• I have tested with the master branch and it's still a problem.

Additional context
It appears that REFRESH_TOKEN_REUSE_PROTECTION aims to solve the problem of token replay but does not function correctly when REFRESH_TOKEN_GRACE_PERIOD_SECONDS is concurrently set. This behavior severely weakens the security provided by Refresh Token Rotation.