oauth2: Add access control to token introspection endpoint

[ruhavingfun22]

Right now any valid token can be used to introspect any other token.

From the token introspection RFC: https://tools.ietf.org/html/rfc7662 bottom of page 11 If left unprotected and un-throttled, the introspection endpoint could present a means for an attacker to poll a series of possible token values, fishing for a valid token. To prevent this, the authorization server MUST require authentication of protected resources that need to access the introspection endpoint and SHOULD require protected resources to be specifically authorized to call the introspection endpoint.

The request is to implement the "SHOULD require protected resources to be specifically authorized to call the introspection endpoint" otherwise one oauth user can introspect another oauth user's token.

[aeneasr]

Also, if revoke doesn't have a similar scope or policy restriction, any token could be used to revoke any other token. (I have not tested this scenario yet)

RFC states:

The authorization server first validates the client credentials (in
case of a confidential client) and then verifies whether the token
was issued to the client making the revocation request. If this
validation fails, the request is refused and the client is informed
of the error by the authorization server as described below.

Which is currently not the case (nice catch):

https://github.com/ory/fosite/blob/master/handler/oauth2/revocation.go

[aeneasr]

Revokation is now tracked as #676

[aeneasr]

Both are resolved