In our ASP.NET (OWIN) Regular Web Application, we exchange an Authorization Code for an Access Token (Authentication API Explorer) and a Refresh Token to renew the Access Token (Authentication API Explorer) .
So far all is fine. But when a user closes the browser, and starts the application again a new refresh token is being issued. This leads to an accumulation of refresh tokens because they don’t get revoked.
Is this a problem ? And if yes how can we handle this issue?