refresh_token flow removes refresh token after first use regardless of settings

[datamystic]

Using https://developers.google.com/oauthplayground, I confirmed that this library removes the refresh_token after the first use, regardless of the always_issue_new_refresh_token and unset_refresh_token_after_use settings e.g.

$server->addGrantType(new OAuth2\GrantType\RefreshToken($storage), array(
	'always_issue_new_refresh_token' => false,
	'unset_refresh_token_after_use' => false,
	'refresh_token_lifetime'         => 3600,  
));

I eventually worked around this by commenting out the code in

public function unsetRefreshToken($refresh_token)

and I will periodically remove expired access tokens from the DB with a script. Yuck.

[michdorf]

The problem seems to be, that the config option 'always_issue_new_refresh_token' is not respected in /vendor/bshaffer/oauth2-server-php/src/OAuth2/GrantType/RefreshToken.php

Another (temporary) solution to the problem is therefore to change line 144 from:
$issueNewRefreshToken = $this->config['always_issue_new_refresh_token'];

to

$issueNewRefreshToken = true;

It would be nice to have the code respect the config-options.