AuthorizedApplications returns the date that the _application_ was created, not the date that the _authorization_ was created

[kmayer]

Steps to reproduce

AuthorizedApplications controller returns the date that the application was created, not the date that the authorization was created.

See also #279 and #109

I'd like to start with a design discussion rather than a PR, but I could do both. (by the way, I see that GitHub now has a discussion board option, separate form the issue board).

The way I see it, there are at least two possibilities:

1. AccessTokens belongs_to an AccessGrant and AccessGrants have_many AccessTokens. This has several effects: Grants must live for the life of the authorization and there's an added foreign key. I don't expect our access_grants to grow very bit, perhaps 100,000 rows, but that does take a toll. And the foreign key needs to copied with every fresh AccessToken. When an authorization is revoked, we need someone to mark the grant for deletion, since revoked_at is already in use.
2. AccessTokens get a new field, authorized_at and that datum is propagated with every fresh AccessToken that is generate, much like scopes are now. This adds an extra datestamp column to access_tokens (while option 1 adds foreign reference key).

Option 1 is a JOIN and requires some way to clean up the grant after the authorization has been revoked, Option 2 provides the data in the record, does not require any extra clean up logic, but duplicates it across the life of the authorization, and if anyone wanted to get other info from the Grant, they couldn't.

A third option is a variant on 2, but I just make my own custom modification to access_tokens and copy my new authorized_at column in one of the callback hooks, e.g. after_successful_authorization