1. Internet Engineering Task Force (IETF) RFC 6749
The OAuth 2.0 Authorization Framework.
Section 1.5
"Refresh Token": "Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires..." This directly supports option A.
Section 6
"Refreshing an Access Token": "The authorization server MAY issue a new refresh token
in which case the client MUST discard the old refresh token and replace it with the new refresh token." The use of "MAY" indicates that a new token is not always issued
implying the original can be reused if a new one is not provided. This supports option D.
Section 4.2.2
"Access Token Response" (Implicit Grant): "A refresh token SHOULD NOT be included." This directly refutes the claim in option B that a refresh token is always issued.
2. Google Cloud
Apigee Documentation
"OAuthV2 policy".
"Generating an access token" section: The documentation describes the element within the GenerateAccessToken block. This element's existence as a configurable option demonstrates that issuing a refresh token is a deliberate policy choice and not an automatic action for every access token generation
which refutes option B.
