feat(oauth2): Add support for revoking access/tokens for the client app

[fioan89]

Token revocation is opt-in. RFC 7009 defines a token revocation endpoint that authorization servers can implement. Coder server implements the RFC we can explicitly revoke the refresh and access token on logout.

A simple implementation can always revoke all the tokens. A more flexible approach allows users to configure whether or not the tokens will be invalidated upon logout