>> I'd propose an alternate (and simpler) solution: when we
>> refresh token, avoid caching the access token.
> So every request from an app for a token would result in a roundtrip
> to the token endpoint, and a new access token being issued? That's
> abuse of refresh tokens, in my opinion.
Not really, given that the use of refresh tokens is not even mandatory.
> Clients are supposed to use
> the tokens they've been issued for as long as they can, and one of
> SSO's selling points is a secure token cache.
Yes, but this does not contradict the above.
I don't understand your response; it's too terse. Instead of keeping the access
token until it stops working, you are proposing to replace it with a new one via token
refresh every time it's requested by the app (and that may be fairly frequent,
depending on the app's process lifecycle). That violates the idea of access tokens:
you should be keeping and using the one you got for as long as possible. It also
unnecessarily adds to the client's use of power and network. Also, multiply the
frequent token refresh procedure by thousands (millions) of clients and servers will have
a problem with it.