Manual testing PASSED with the following steps:

1. Navigate to System Settings > OAuth 2 > System Scope > Provider

2. Assert "Recycle Refresh Token" checkbox is checked by default

3. Add a new OAuth 2 application and complete an Authorization Grant flow to obtain a new refresh token

4. Use this refresh token to hit the refresh token oauth URI endpoint

5. Assert a new/different access token is returned in the response

6. Assert that the refresh token returned is the same as the original one used

7. Repeat steps 4-6 multiple times

8. Disable "Recycle Refresh Token" within System Settings

9. Use the original refresh token to hit the refresh token oauth URI endpoint

10. Assert that both a new access token AND new refresh token are returned

11. Assert that the original refresh token is no longer valid by either checking with the Token Instrospection endpoint or attempting to use it with the refresh token endpoint

12. Use the newly generated refresh token from step 10 to hit the refresh token endpoint

13. Assert that both a new access token AND new refresh token are returned

14. Re-enable "Recycle Refresh Token" within System Settings

15. Repeat steps 4-7

Testing passed on:

Portal 7.1.x-private Git SHA: 493dea7d908cf56954d7b6169d7c2a6d23d9a0fc
Portal DXP 7.1 GA1 + FP3 (build 14) + Liferay Plugin for OAuth 2.0 1.1.0