Hi, 

I have a scenario for 3legged OAuth security that I have put in place in my Apigee Edge. 

Step 1:

Auth code is generated , with validity of 60 seconds, and the response comes along with a endUserId VALUE WHICH WE TAKE AS IDENTIFIER IN THE REQUEST PARAMS.

Step 2:-

With obtained auth code and Identifier , make a request to access token. The acces token response will contain the complete details like scopes, enduserId attribute, accessToken, refreshToken  with a validity of 24 hours for access token and 90 days for refresh token. 

Step 3: using the refresh token obtained , i can request for new access token within 90 days, every time i make a request , a new access token comes in response and refresh token remains same, a counter is maintained  with a value of no of hits to the refresh token api. 

Observation:-

every time I request for a new access token using the refresh access token, say about for example - I repeated the 3rd step 2 times (after step 1 and 2 is done), If i use the latest access token, i can make my service call and verify access token is passed successfully.

But if i use, penultimate access token or the first token, even though they are not expired (not more thna 24 hours), I get an error message as INVALID ACCESS TOKEN .  I want to know why is this behaviour, is it genuine or did i miss anything.

Because , for normal 2 legged oauth 2 , When i request for multiple access tokens within 24 hours all of them, are valid. But that not happening for 3 legged oauth.