Hash/Encrypt OAuth tokens

Currently, GitLab Doorkeeper OAuth Application secrets and tokens are stored in plaintext in the database. This is in the oauth_applications table in the secret column and in the oauth_access_tokens table in the token and refresh_token column.

Doorkeeper has support for hashing/encrypting these values. See https://github.com/doorkeeper-gem/doorkeeper/blob/master/lib/generators/doorkeeper/templates/migration.rb.erb#L60-72 for more information. They support SHA256 and BCrypt out of the box, but it is also possible to create your own. You can see how 'simple' the SHA256 implementation is - https://github.com/doorkeeper-gem/doorkeeper/blob/main/lib/doorkeeper/secret_storing/sha256_hash.rb

Given our efforts to change from BCrypt to SHA512 or PBKDF2 for password hashing I think we should do the same with our own implementation here.

Doorkeeper also supports falling back to plaintext secrets and tokens to support proactive migration.

NOTE: This is not compatible with reuse_access_token configuration, which we use, and which we propose to change as part of #363525 (closed)