Related to https://gitlab.com/gitlab-org/gitlab/-/issues/363525 Currently GitLab (via Doorkeeper) invalidates access tokens whenever a new token is requested via a refresh token. Similarly, once a refresh token is used it is also invalidated and a new refresh token is returned with the new access token. However, GitLab does not currently support [automatic refresh token reuse detection](https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation#automatic-reuse-detection). That is, if a revoked refresh token is used any 'related' access and refresh tokens are not also revoked. It appears Doorkeeper supports this feature automatically in the presence of a `previous_refresh_token` column in the `oauth_access_tokens` table. Documentation on this feature is pretty non-existent but see https://github.com/doorkeeper-gem/doorkeeper/blob/master/lib/generators/doorkeeper/templates/migration.rb.erb#L60-72. **Question:** Will changing this behavior constitute a breaking change?