// revoke refresh token only if it belongs to client doing the request
        private async Task <bool> RevokeRefreshTokenAsync(string handle, Client client)
        {
            var token = await _grants.GetRefreshTokenAsync(handle);

            if (token != null)
            {
                if (token.ClientId == client.ClientId)
                {
                    _logger.LogDebug("Refresh token revoked");
                    await _grants.RemoveRefreshTokensAsync(token.SubjectId, token.ClientId);

                    await _grants.RemoveReferenceTokensAsync(token.SubjectId, token.ClientId);
                }
                else
                {
                    var message = string.Format("Client {clientId} tried to revoke a refresh token belonging to a different client: {clientId}", client.ClientId, token.ClientId);

                    _logger.LogWarning(message);
                    await RaiseFailureEventAsync(message);
                }

                return(true);
            }

            return(false);
        }