A user can refresh any token belonging to him with any refresh token. This means that the user can refresh token A with token B's refresh token.
Should we allow it? @lobo
Note: This can be done if the id is removed from the url, and taken directly from the token. @lobo What do you think about this?
