Are old access tokens deleted when the refresh token is rotated?

I think the access token obtained with the older refresh is still valid for its lifetime but I would have to check to be sure.

it looks like I start getting

debug:not_found message:request_unauthorized ... method:POST path:/oauth2/introspect

after running that test from google

Ok my bad! The FAQ really needs some work 📌

nevermind, I just confirmed google is using a different access token after the test runs. but still token introspection doesn't recognise neither. which leads me to believe this PR https://github.com/ory/hydra/pull/2383 is "working as intend" (at first it doesn't seem like google expected the access token to be expired) the missing piece still is why google appears to be using the old refresh token after that test fails... or could've hydra revoked the latest token too? anyway it seems like https://github.com/ory/hydra/pull/2827 could be a fix for this

Hm do you think this is causing any adverse behaviour right now? I don't think the latest token should be revoked as well, but yea #2827 should fix it.

Yes, unfortunately. I was hoping this would be strictly related to test compliance and not really matter on the "real world" but I just had it fail to rotate the refresh token for my account in "production" (more like dogfooding really) this month. I will see about making a reproducer with a shorter feedback loop. BTW does it help if I do the reproducer on hydra cloud?