feat(OIDC): support token revocation of V2 tokens (#6203)

This PR adds support for OAuth2 token revocation of V2 tokens.

Unlike with V1 tokens, it's now possible to revoke a token not only from the authorized client / client which the token was issued to, but rather from all trusted clients (audience)

internal/query/access_token.go

@@ -43,6 +43,9 @@ func (wm *OIDCSessionAccessTokenReadModel) Reduce() error {
 			wm.reduceAdded(e)
 		case *oidcsession.AccessTokenAddedEvent:
 			wm.reduceAccessTokenAdded(e)
+		case *oidcsession.AccessTokenRevokedEvent,
+			*oidcsession.RefreshTokenRevokedEvent:
+			wm.reduceTokenRevoked(event)
 		}
 	}
 	return wm.WriteModel.Reduce()
@@ -57,6 +60,8 @@ func (wm *OIDCSessionAccessTokenReadModel) Query() *eventstore.SearchQueryBuilde
 		EventTypes(
 			oidcsession.AddedType,
 			oidcsession.AccessTokenAddedType,
+			oidcsession.AccessTokenRevokedType,
+			oidcsession.RefreshTokenRevokedType,
 		).
 		Builder()
 }
@@ -78,6 +83,11 @@ func (wm *OIDCSessionAccessTokenReadModel) reduceAccessTokenAdded(e *oidcsession
 	wm.AccessTokenExpiration = e.CreationDate().Add(e.Lifetime)
 }
 
+func (wm *OIDCSessionAccessTokenReadModel) reduceTokenRevoked(e eventstore.Event) {
+	wm.AccessTokenID = ""
+	wm.AccessTokenExpiration = e.CreationDate()
+}
+
 // ActiveAccessTokenByToken will check if the token is active by retrieving the OIDCSession events from the eventstore.
 // refreshed or expired tokens will return an error
 func (q *Queries) ActiveAccessTokenByToken(ctx context.Context, token string) (model *OIDCSessionAccessTokenReadModel, err error) {