Comment 6 for bug 1215627

That sounds accurate,

* Re-publish/Respond with same token for requests that request a new token with same params.

One additional note, is
* I do not think you would want to refresh the expiry time (since user configuration specifies what that should be), tokens should be "handed" out with same expiry time, until it expires.