Compass/mongosh maintains an internal state in its OIDC plugin that covers which access or ID tokens are passed to the driver. Token expiration is only covered by the expiration date announced as part of the token set response from the identity provider. If the server considers the token expired for reasons that the client application has no insight into, like a JWKS rotation or diverging system clocks, and the driver requests a new token, Compass/mongosh will still respond with the old one.

We should migrate to a model in which the driver tells the OIDC callback which token was rejected specifically, so that the oidc-plugin code can test whether that token is the currently active token and automatically discard the current access/ID token if that is the case, instead of returning it.

This would need to come with a note about it in the spec.