fix: clarify refresh token parameter names and improve code readability

- Rename misleading parameters in Storage interface:
  - refreshTokenID → refreshToken
  - newRefreshTokenID → newRefreshToken

- Make bare returns explicit in token.go for better readability

- Add documentation to clarify token creation flow

The interface parameters were misleadingly named with 'ID' suffix when they
actually contain the full token values. The example implementations already
used the semantically correct names, creating inconsistency. This change
aligns the interface with its implementations and prevents confusion.

pkg/op/storage.go

@@ -41,8 +41,14 @@ type AuthStorage interface {
 	//   registered the refresh_token grant type in advance
 	//
 	// * TokenExchangeRequest as returned by ValidateTokenExchangeRequest
-	CreateAccessAndRefreshTokens(ctx context.Context, request TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshTokenID string, expiration time.Time, err error)
-	TokenRequestByRefreshToken(ctx context.Context, refreshTokenID string) (RefreshTokenRequest, error)
+	//
+	// CreateAccessAndRefreshToken creates both access and refresh tokens.
+	// The returned refresh token is the actual token value that will be passed
+	// directly to the client. The storage implementation is responsible for
+	// creating the complete refresh token (JWT or opaque format). For refresh tokens,
+	// in either format, the token itself serves as both the identifier and the credential.
+	CreateAccessAndRefreshTokens(ctx context.Context, request TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshToken string, expiration time.Time, err error)
+	TokenRequestByRefreshToken(ctx context.Context, refreshToken string) (RefreshTokenRequest, error)
 
 	TerminateSession(ctx context.Context, userID string, clientID string) error