Expire the refresh token only after the created authentication token has been used once

[guruz]

Forgive me if I use the wrong terms here, this is something that came up here on Monday in office with @ogoffart and @michaelstingl and @jnweiger and @ckamm

This is to avoid a situation where the reply from the server with the new authentication token gets lost but we can't use the refresh token for a second time because the server already invalidated it.

On usage of the refresh token, the server could create a new authentication token but still keep the refresh token valid to be used again. Only when the new authentication token was used by the client we know that the client properly received the new authentication token and the server can invalidate the fresh token.