I am currently testing a website that appears to make a refresh token request every time I focus away from the web browser and back, or away from the tab the website is open in and back to it. I've confirmed these requests are refreshing my access token. My question is whether this poses an additional security risk or not. My initial thought is it's not a good idea to have a ton of valid tokens floating around, but I'm not certain that this implementation gives an attacker any larger window to steal an access token than he would already have with any method already available to get his hands on an access token.
Edit: the tokens are actually being regenerated in this case, though it appears if this had been a refresh token, this would be okay, though unnecessary.