I've got a workaround, but thought I would highlight an issue I've found.
I've got a client written that is logging into the .NET API and is trying to use the refresh tokens. But I've found a bug where the refresh token can be used to get a new access token, but the access token won't work.
I've found the problem in the template code and it only happens when the user belongs to a tenant.
The refresh token code is using the current session's tenant. So for example the access token has a user identity of (tenant ID: null, user ID: 82) instead of (tenant ID: 7, user ID: 82).
The work around ws to send the tenant ID in the headers on the request to refresh the token. But this is still a bug since the API should handle that. And if by design the tenant ID should be sent, the refresh token endpoint should error rather than return an access token that doesn't work.
This isn't stopping us anymore. But thought it should be raised to ease of use of future users.