complete refresh_token rotation functionality

[dagda1]

Although #252 added basic refresh_token functionality, there are still a few remaining features to simulate real refresh_token rotation.

• Check whether the token has expired
• With refresh_token rotation, all previous refresh_tokens for that session need to be expired
• The rotation number should be incremented concerning the current refresh_token when issuing a new refresh_token for the current session

This article is a good resource.