Always validate the client and determine if it handles the grant type

[hafezdivandari]

Fixes #1174
Fixes #1369
Related to #1073
Closes #1036

This PR can be considered as a security enhancement and does 2 main changes:

1. Always validate client:
   • The "auth code" grant - Unlike all other grants - calls AbstractGrant::validateClient() only if the client is confidential. This PR fixes this inconsistent behavior and makes the server always call AbstractGrant::validateClient().
   • The "auth code" and "client credential" grants unnecessarily call AbstractGrant::getClientEntityOrFail() twice instead of just using the AbstractGrant::validateClient() return value, this PR fixes that.
   • All grants except "client credentials" grant can be non-confidential. So this PR fixes the example implementation of ClientRepository::validateClient(): validate the client secret only if the client is confidential. It's already implemented this way on most community integrations:
     • Passport
     • Symfony
     • Mezzio
     • Drupal
2. New ClientEntityInterface::hasGrantType() function:
   • This function is implemented on ClientTrait that returns true by default to avoid BC breaking changes.
   • Currently there is no way to check if the client handles the grant type before proceeding the request, e.g. We don't want to make auth code on "auth code grant" or make device code on "device code auth" grant or response with the access token on "implicit token" grant if the specified client doesn't handle the grant type. This PR makes this possible to avoid handling the requested grant type if the specified client doesn't supports that.
   • It also makes it possible for us to disable issuing refresh token if the client doesn't handle this grant.

• See also [13.x] Determine if the client handles the specified grant laravel/passport#1762