Logout doesn't revoke the refresh token(s)

[RobPethick]

Checklist

• The issue can be reproduced in the auth0-spa-js sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the documentation and API documentation, and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

I have seen the discussion here: #1013. And the recommendation there to just get a new refresh token and then forgetting it. This isn't a correct solution for me, this will fail our security reviews. Refresh tokens should be revoked when they are done with.

In my book we shouldn't expose a revoke token method but instead we should add it to the logic within the logout method as that is the only time a client would revoke the refresh token

Reproduction

1. Copy refresh token
2. Logout
3. Use refresh token
4. Expected: refresh token can't be used, Actual: refresh token still useable

Additional context

I would be really happy to submit a PR for this improvement

auth0-spa-js version

2.1.3

Which framework are you using (React, Angular, Vue...)?

React (wrapping auth0-spa-js)

Framework version

No response

Which browsers have you tested in?

Chrome, Firefox