The Alexa Documentation on implementing "Authorization Code Grant" specifically mentions two requirements for Alexa:
- The authorization server should not immediately invalidate previously used access tokens when a new access token is given. This can cause outages in highly distributed and concurrent systems such as the Alexa service.
- The authorization server should not immediately invalidate previously used refresh tokens if a new refresh token is generated after each use. In addition to possibly causing outages in highly distributed and concurrent systems such as Alexa, this also tends to leave the user in a state from which the only recovery is to disable, enable, and account link the skill again from the Alexa App.
I understand that I might get a Request from Alexa with an expired Auth Token, or a Refresh-Token Request with an expired Refresh Token. But how should I react to that? Should I "pretend" like the outdated Auth/Refresh Token is still valid?
Also, with the Refresh-Token Request when getting an expired Refresh-Token, should I generate a new Auth/Refresh Token pair again (making the previously returned pair invalid) or should I respond with the same pair as I did last time?