If the blacklist app is enabled mark rotated refresh tokens as outstanding

[vainu-arto]

The token blacklisting itself works without this (the OutstandingToken object will be created when adding a token to the blacklist), but the list of outstanding tokens would very quickly get out of date in the presence of refresh token rotation, and be unusable for any other purpose (for example being able to tell which users have valid outstanding tokens).

Fixes #363 and #25

[aaronn]

Just came across this because I believe I have the same issue. When a token is initially created, it is added to the OutstandingToken table. However, when that same token is refreshed, the new refresh token isn't added to the new OutstandingToken table, causing it to then be rejected when there is an attempt to use it to refresh.

Is that right @vainu-arto?

[vainu-arto]

Just came across this because I believe I have the same issue. When a token is initially created, it is added to the OutstandingToken table. However, when that same token is refreshed, the new refresh token isn't added to the new OutstandingToken table, causing it to then be rejected when there is an attempt to use it to refresh.

In my case refreshing tokens succeeds. At least the version of this lib I'm running doesn't require that the token exists in OutstandingToken before allowing it to be refreshed.