Shouldn't the old access token be invalidated by a refresh call?
The RFC6749 section 1.5 indicates that:
Refresh tokens are issued to the client by the authorization server and areused to obtain [...] additional access tokenswith identical or narrower scope
As far as I understand, the access token A
may be still valid when an access token B
is issued with the refreh token.