Problem/Motivation
I was seeing this on 5.0, and still seeing it after upgrading to 5.2.
I've been trying to figure out why I keep getting "refresh token invalid" errors, and I realized that, somehow, incorrect tokens seem to be returned by /oauth/token. The request is validated correctly for the password grant_type (in that an incorrect username/password pair fails, while a correct one succeeds), but the response data seems to be...wrong somehow. Every request with any username/password is returning the same access token and refresh token, but neither of them actually appear in the oauth2_token table. A new access/refresh token pair does appear to be created in the table, but they just aren't returned.
Strangely, the access token still actually works (as in, it is valid when present in the header for JSON/REST requests), and attempting to refresh the token via the refresh_token grant_type sometimes "works" as well, in that the access token starts to work again. But, when it succeeds, the tokens in the response are the exact same ones as before even though new access/refresh tokens are added to the oauth_token table. The expires_in value in the response is correct, so it's definitely returning something from simple_oauth in some capacity.
One thing that stands out is that none of my listed refresh_tokens have a client associated with them. The client column in the db is NULL for all of them.
I'm going to try and dig around to see if I can find any more information, but figured I'd drop this in here before I code switch and forget what's happening.
Steps to reproduce
Haven't tried to reproduce yet on a clean installation, but I'm just hitting /oauth/token with the appropriate parameters/credentials.