AbstractOAuthDataProvider.refreshAccessToken method can't handle an invalid refresh token

The refreshAccessToken method calls revokeRefreshAndAccessTokens, which calls revokeRefreshToken, which is an abstract method which declares no exceptions.

Implementations assume that the method will return null if the refresh token doesn't exist (see the DefaultEHCacheOAuthDataProvider, although the DefaultEncryptingOAuthDataProvider implementation may throw a SecurityException in that case as it can't really / doesn't support revoking).

However if a null is returned, refreshAccessToken passes that null to doRefreshAccessToken which will then fail with a NullPointerException.

I suggest that refreshAccessToken check for a null refresh token and throws an OAuthServiceException, possibly with OAuthConstants.ACCESS_DENIED.