--- a/mod_http_oauth2/mod_http_oauth2.lua	Fri Jul 21 00:38:04 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sun Jul 23 02:56:08 2023 +0200
@@ -270,18 +270,23 @@
 		token_data = nil;
 	end
 
-	local refresh_token;
 	local grant = refresh_token_info and refresh_token_info.grant;
 	if not grant then
 		-- No existing grant, create one
 		grant = tokens.create_grant(token_jid, token_jid, default_refresh_ttl, token_data);
-		-- Create refresh token for the grant if desired
-		refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant, nil, nil, "oauth2-refresh");
-	else
-		-- Grant exists, reuse existing refresh token
-		refresh_token = refresh_token_info.token;
 	end
 
+	if refresh_token_info then
+		-- out with the old refresh tokens
+		local ok, err = tokens.revoke_token(refresh_token_info.token);
+		if not ok then
+			module:log("error", "Could not revoke refresh token: %s", err);
+			return 500;
+		end
+	end
+	-- in with the new refresh token
+	local refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant.id, nil, nil, "oauth2-refresh");
+
 	if role == "xmpp" then
 		-- Special scope meaning the users default role.
 		local user_default_role = usermanager.get_user_role(jid.node(token_jid), module.host);