Access token revocation on code reuse attempt #19
Description
OP-OAuth-2nd-Revokes requires that using an authorization code twice revokes access tokens.
See also 10.5 of RFC6749
The requirement is only for access tokens based on the code itself, but this won't be possible for JWT tokens which aren't cached at the OP. The code would also have to be stored with the token.