Introspecting a token should behave the same wrt "revoke on use"

[kmayer]

Steps to reproduce

Our ResourceServer is a separate application from the AuthorizationServer, so we can't modify our controllers to invoke doorkeeper_authorize!. Instead, we call token/introspect on provided tokens. The RS is itself a client application; it uses client_credentials and has a special introspect scope to allow it to examine tokens issued by any other client. We noticed that revoke-on-use does not happen as it would if we could use the provided doorkeeper_authorize! action helper.

Expected behavior

Calling token/introspect on a token should have the same behavior as doorkeeper_authorize! has on it.

Actual behavior

The tokens aren't revoked, and we don't know what's the appropriate path to create portable behavior that is identical to doorkeeper_authorize!

System configuration

Here's a diff that adds a new example for the TokensController

diff --git a/spec/controllers/tokens_controller_spec.rb b/spec/controllers/tokens_controller_spec.rb
index de0088b6..eb55fb1f 100644
--- a/spec/controllers/tokens_controller_spec.rb
+++ b/spec/controllers/tokens_controller_spec.rb
@@ -496,6 +496,18 @@ RSpec.describe Doorkeeper::TokensController, type: :controller do
         )
       end
 
+      it "revokes the previous refresh_token of the token being introspected" do
+        previous_token = FactoryBot.create(:access_token, refresh_token: "refresh_token")
+        token_for_introspection.previous_refresh_token = previous_token.refresh_token
+        token_for_introspection.save!
+
+        request.headers["Authorization"] = "Bearer #{access_token.token}"
+
+        post :introspect, params: { token: token_for_introspection.token }
+
+        expect(previous_token.reload).to be_revoked
+      end
+
       it "responds with invalid_token error if authorized token doesn't have introspection scope" do
         access_token.update(scopes: "read write")