set refresh token when grant type is `code`

[drunkhacker]

When a client issues a authorize request with response_type=code, authorize server gives an access_token without expires_in or refresh_token value even if grant_access! method is called with duration option.

I've tested this situation with following scenario.

1. Client makes a GET request with URL = http://oauth_server.dev/oauth/authorize?client_id=xxx&redirect_uri=http://client.dev/cb&response_type=code
2. In sever's authorize action, renders an application allowance form
3. In server's allow action, OAuth2::Provider::Authorization is constructed with @user and params with params[:client_id], params[:response_type], params[:redirect_uri]. Then it calls grants_access!(:duration => 3600) and redirect to client's redirect_uri with code parameter.
4. In client, client issue a POST request to http://oauth_server.dev/oauth/access_token with params[:grant_type] = "code", params[:code] = xxx, params[:client_id]=yyy and params[:client_secret]=zzz and The authorization server gives response with valid access_token but not refresh_token or expires_in values. I think those values should be in response.

In oauth2/model/authorization.rb, exchange! method just set refresh_token with nil with no condition check.

def exchange!
  self.code          = nil
  self.access_token  = self.class.create_access_token
  self.refresh_token = nil
  save!
end

I think it should check whether expires_in parameter is set, and have to generate refresh_token in that case.

[drunkhacker]

Sorry, I didn't notice issue #15