Expire time for refresh token

[jbagot]

I think would be fine if the refresh token will have the option to be expired. I can do a PR if is your are agree with that.
Sometimes is interesting have a refresh token with expire time. If we want to do a long live token with 60 days of inactivity and after this 60 days the user must relogin.
Let me know if it's interesting for you and I can implement it.

[Flor1an-dev]

Hi, I think this is an important feature. As far as I understand the existing code, a user can stay logged in forever if he has a refresh_token. With every refresh, the user will receive a new access/id_token and a new refresh_token. It also doesn't matter if the current access_token has expired, it is still possible to generate a new access_token with the refresh_token.

The only chance to block a user is to remove all tokens of the user!