Bug or my misunderstanding?

Hello, I’ve noticed that if I can produce this error (by attempting to exchange the same code twice)

2024-02-21 17:07:05,002 WARN  [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (executor-thread-75) Code 'c3d11805-9069-4670-b7ff-86b35d689408' already used for userSession '103571cd-8bd8-4926-9d49-d1296c2
85462' and client '427c56e7-2696-4312-bd84-79dbce933456'.
2024-02-21 17:07:05,002 WARN  [org.keycloak.events] (executor-thread-75) type=CODE_TO_TOKEN_ERROR, realmId=146101a1-221e-4e35-859d-1ae0a6e5ee81, clientId=cabinetdev, userId=null, ipAddress=172.31.0.1, error=i
nvalid_code, grant_type=authorization_code, code_id=103571cd-8bd8-4926-9d49-d1296c285462, client_auth_method=client-secret

Then the refresh token I have stored on the successful attempt, now can no longer be used in the revocation endpoint. resulting in this error

2024-02-21 17:32:02,613 WARN  [org.keycloak.events] (executor-thread-124) type=REVOKE_GRANT_ERROR, realmId=146101a1-221e-4e35-859d-1ae0a6e5ee81, clientId=cabinetdev, userId=null, ipAddress=172.31.0.1, error=u
ser_session_not_found, client_auth_method=client-secret

I.e. a bad request can cause a session to no longer be revoked.

This seems to me like a bug, but maybe I just have a misunderstanding aboiut refresh tokens, and sessions, and revocations, etc.

Could anyone advise?