Closed
Description
It seems that the library changed the way it checks for expired tokens from manual handling to throwing exceptions. And now you can put a random JWT token as an expired token if you obtain a refresh token. I think this is a huge flaw in the library.
I wanted to validate that all data are there and manually check if the token expired so I can confirm that the old token was valid when it was valid and it's not a random token.
Because you can't validate expired tokens, both access and refresh tokens need to have exact same claims because you can't recreate a new access token based on an old one.