feat: graceful refresh token rotation

[aeneasr]

Related issue(s)

Closes https://github.com/ory/hydra/pull/3770

Checklist

• [ ] I have read the contributing guidelines.
• [ ] I have referenced an issue containing the design document if my change introduces a new feature.
• [ ] I am following the contributing code guidelines.
• [ ] I have read the security policy.
• [ ] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security vulnerability, I confirm that I got the approval (please contact security@ory.sh) from the maintainers to push the changes.
• [ ] I have added tests that prove my fix is effective or that my feature works.
• [ ] I have added or changed the documentation.

Further Comments

[zepatrik]

From the original PR:

Shouldn't we also ensure that when a new refresh token is issued the grand parent refresh token is revoked and also all the "brother" refresh tokens are revoked?

[aeneasr]

From the original PR:

Shouldn't we also ensure that when a new refresh token is issued the grand parent refresh token is revoked and also all the "brother" refresh tokens are revoked?

I think we test this here: https://github.com/ory/hydra/pull/3860/files#diff-6d883efffdabd9715dc9872121018df30a5843c81e25dc6c4af2c3edc13fb21cR442

[aeneasr]

@zepatrik can you please approve if you're fine with the state as it is?

[aeneasr]

I have added a test case that revokes the consent session and checks that all tokens are correctly invalidated. Tests pass :)