I'm building a system where users may be required to grant access to 1 or more Google services (using the Oauth2 server flow).
For the first service they authorise, everything works perfectly - however, when they then authorise a second service (using a different client id & secret), the original refresh token from the first authorisation is invalidated.
Is this expected behaviour or I am doing something wrong somewhere?
I expect that by using multiple Client Ids & Secrets, I should be able to store multiple refresh tokens, once for each service granted access to - so both users and I can be in total control of what is shared and used where