refresh token lookups are now scoped by application.
This bug meant that lookups of refresh token via the refresh token grant were not scoped by the application identified by the
/token request credentials, so grant hijacking could happen in theory, if attackers knew of existing refresh tokens.
The same issue was observed (and fixed) for token revocation (this time involving the access token).
Fix for a case which made resource indicators unusable under Rack 3.0 .