Not possible to revoke refresh tokens

[StanislavMachel]

There is an issue in https://github.com/spring-projects/spring-authorization-server/blob/main/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenRevocationAuthenticationProvider.java#L67

There is call of org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService#findByToken where the second parameter is always null, so it means if implement ' org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService#findByToken and rely ontokenType` makes it not possible to revoke refresh token efficiently.

To Reproduce
Implement org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService#findByToken without handing null.

Expected behavior
tokenType passed as parameter to org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService#findByToken

** Steps to reproduce**
Implement https://docs.spring.io/spring-authorization-server/reference/guides/how-to-jpa.html#authorization-service without handling null.

@Override
public OAuth2Authorization findByToken(String token, OAuth2TokenType tokenType) {
	Assert.hasText(token, "token cannot be empty");

	Optional<Authorization> result;
               if (OAuth2ParameterNames.STATE.equals(tokenType.getValue())) {
		result = this.authorizationRepository.findByState(token);
	} else if (OAuth2ParameterNames.CODE.equals(tokenType.getValue())) {
		result = this.authorizationRepository.findByAuthorizationCodeValue(token);
	} else if (OAuth2ParameterNames.ACCESS_TOKEN.equals(tokenType.getValue())) {
		result = this.authorizationRepository.findByAccessTokenValue(token);
	} else if (OAuth2ParameterNames.REFRESH_TOKEN.equals(tokenType.getValue())) {
		result = this.authorizationRepository.findByRefreshTokenValue(token);
	} else if (OidcParameterNames.ID_TOKEN.equals(tokenType.getValue())) {
		result = this.authorizationRepository.findByOidcIdTokenValue(token);
	} else if (OAuth2ParameterNames.USER_CODE.equals(tokenType.getValue())) {
		result = this.authorizationRepository.findByUserCodeValue(token);
	} else if (OAuth2ParameterNames.DEVICE_CODE.equals(tokenType.getValue())) {
		result = this.authorizationRepository.findByDeviceCodeValue(token);
	} else {
		result = Optional.empty();
	}

	return result.map(this::toObject).orElse(null);
}

[jgrandja]

@StanislavMachel Refresh tokens are revokable and this capability has been in place for a few years now.

Please see the integration test requestWhenRevokeRefreshTokenThenRevoked(), which demonstrates revoking a refresh token (and associated access token):

spring-authorization-server/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2TokenRevocationTests.java

Line 164 in d32c185

public void requestWhenRevokeRefreshTokenThenRevoked() throws Exception {