Currently, when a user revokes OAuth applications only
existing access tokens are revoked. If an application has already
requested a code (grant) to later redeem for an access token, the
grant may remain valid and will generate a valid access token
until expired (10 min expiry). This change ensures both access
tokens *and* grants are revoked when a user revoked the application.