Description
Steps to reproduce
I am working through a review with our security team and they requested that I revoke access tokens when there are multiple attempts to exchange the authorization code. This is one of the security recommendations from the rfc and I went to see if there were any hooks available that would allow us to revoke the tokens, but none seem to be available. Specifically I was hoping that I could register a hook at this point so that I can revoke the access tokens. If it would help, I can make a PR for this functionality.
Authorization codes MUST be short lived and single-use. If the
authorization server observes multiple attempts to exchange an
authorization code for an access token, the authorization server
SHOULD attempt to revoke all access tokens already granted based on
the compromised authorization code.