Issue #2946882: Auth revoke on profile update

This commit moves the logic that responds to user and consumer changes for token invalidation into a service. This allows projects to swap out the logic if needed.

The default logic is very conservative, favoring security and possibly invalidating tokens too frequently. However, the logic that's actually required for token invalidation can differ per project depending on their business logic and it's difficult to find generalised logic that works for everyone.