[13.x] Make revoking refresh tokens optional

[hafezdivandari]

• Fix issue and persist a new refresh token when revoking refresh token is disabled thephpleague/oauth2-server#1449

This PR introduces a new Passport::$revokeRefreshTokens property, in line with the new GrantTypeInterface::revokeRefreshTokens() function added in oauth2-server v9.0 useful for safer token rotation.

Disabling refresh token revocation can be useful if you want the client to manually revoke the old refresh token only after it successfully receives the new access token and refresh token.

Consider the following scenarios:

Refresh Token Revocation Enabled (Default behavior)

1. The client requests to refresh an access token.
2. The old access token is revoked.
3. The old refresh token is revoked.
4. A new access token and refresh token are issued in response.
5. The client loses network connection and does not receive the new access and refresh tokens.
6. The client cannot use the old refresh token because it has already been revoked.
7. Dead end!

Refresh Token Revocation Disabled

1. The client requests to refresh an access token.
2. The old access token is revoked.
3. A new access token and refresh token are issued in response.
4. The client loses network connection and does not receive the new access and refresh tokens.
5. The client can use the old refresh token again to receive new tokens.
6. The client manually requests the old refresh token's revocation after successfully receiving the new one.

[github-actions]

Thanks for submitting a PR!

Note that draft PR's are not reviewed. If you would like a review, please mark your pull request as ready for review in the GitHub user interface.

Pull requests that are abandoned in draft may be closed due to inactivity.