Currently, the resource server "getAccessToken" retrieve a token and can return any token, even if it is expired: https://github.com/zf-fr/zfr-oauth2-server/blob/master/src/ZfrOAuth2/Server/ResourceServer.php#L90

The current logic is to call first "isRequestValid", then "getAccessToken" if isRequestValid returns true. A more correct way would be to delete isRequestValid in favour of a private "isTokenValid", that is called by the getAccessToken, so that the resource server always return valid token. If someone want to retrieve an expired token, it should use explicitly the repository.