feat: revoke refresh token on request only

[vivshankar]

The OAuth 2.0 Token Revocation specification (RFC7009)
indicates that the authorization server can choose to only revoke refresh tokens if the token in the request is a
refresh token in the authorization grant.

This change gives an option to not revoke the refresh token if the token in the request is an access token.

Related Issue or Design Document

N/A

Checklist

• I have read the contributing guidelines and signed the CLA.
• I have referenced an issue containing the design document if my change introduces a new feature.
• I have read the security policy.
• I confirm that this pull request does not address a security vulnerability.
  If this pull request addresses a security vulnerability,
  I confirm that I got approval (please contact [email protected]) from the maintainers to push the changes.
• I have added tests that prove my fix is effective or that my feature works.
• I have added the necessary documentation within the code base (if appropriate).

Further comments

N/A

[vivshankar]

@aeneasr Do you mind taking a look at this? It's a fairly simple change and has no compatibility impact.

[aeneasr]

Sorry, I lack the time to look into PRs in fosite at the moment. This looks good to me, but it would be even better if there was a small test for this!

[mitar]

This looks good, but yes, tests please.

[vivshankar]

@aeneasr @mitar Added tests

[mitar]

Thanks!