/**
  * This method is intended to be overridden by subclasses.
  *
  * @param checkedScope
  * @return
  * @throws org.forgerock.openam.oauth2.exceptions.OAuthProblemException
  */
 protected CoreToken createAccessToken(CoreToken refreshToken, Set<String> checkedScope) {
   return getTokenStore()
       .createAccessToken(
           client.getClient().getAccessTokenType(),
           checkedScope,
           OAuth2Utils.getRealm(getRequest()),
           refreshToken.getUserID(),
           refreshToken.getClientID(),
           refreshToken.getRedirectURI(),
           null,
           refreshToken.getTokenID());
 }
  @Post("form:json")
  public Representation represent(Representation entity) {
    /*
     * o require client authentication for confidential clients or for any
     * client that was issued client credentials (or with other
     * authentication requirements), o authenticate the client if client
     * authentication is included and ensure the refresh token was issued to
     * the authenticated client, and o validate the refresh token.
     */

    client = getAuthenticatedClient();
    String refresh_token =
        OAuth2Utils.getRequestParameter(
            getRequest(), OAuth2Constants.Params.REFRESH_TOKEN, String.class);
    // Find Token
    CoreToken refreshToken = getTokenStore().readRefreshToken(refresh_token);

    SessionClient refreshTokenClient =
        new SessionClientImpl(refreshToken.getClientID(), refreshToken.getRedirectURI());

    if (null == refreshToken) {
      OAuth2Utils.DEBUG.error("Refresh token does not exist for id: " + refresh_token);
      throw OAuthProblemException.OAuthError.INVALID_REQUEST.handle(
          getRequest(), "RefreshToken does not exist");
    } else if (!refreshTokenClient.getClientId().equals(client.getClient().getClientId())) {
      OAuth2Utils.DEBUG.error(
          "Refresh Token was issued to a different client id: " + refreshTokenClient.getClientId());
      throw OAuthProblemException.OAuthError.INVALID_REQUEST.handle(
          getRequest(), "Token was issued to a different client");
    } else {
      if (refreshToken.isExpired()) {
        OAuth2Utils.DEBUG.warning("Refresh Token is expired for id: " + refresh_token);
        throw OAuthProblemException.OAuthError.EXPIRED_TOKEN.handle(getRequest());
      }

      // Get the requested scope
      String scope_before =
          OAuth2Utils.getRequestParameter(getRequest(), OAuth2Constants.Params.SCOPE, String.class);

      Set<String> granted_after = null;
      // Get the granted scope
      if (null != refreshToken.getScope()) {
        granted_after = new TreeSet<String>(refreshToken.getScope());
      } else {
        granted_after = new TreeSet<String>();
      }

      // Validate the granted scope
      Set<String> checkedScope = executeRefreshTokenScopePlugin(scope_before, granted_after);

      // Generate Token
      CoreToken token = createAccessToken(refreshToken, checkedScope);
      Map<String, Object> response = token.convertToMap();

      // execute post token creation pre return scope plugin for extra return data.
      Map<String, String> data = new HashMap<String, String>();
      response.putAll(executeExtraDataScopePlugin(data, token));

      if (checkedScope != null && !checkedScope.isEmpty()) {
        response.put(
            OAuth2Constants.Params.SCOPE,
            OAuth2Utils.join(checkedScope, OAuth2Utils.getScopeDelimiter(getContext())));
      }

      return new JacksonRepresentation<Map>(response);
    }
  }