Hashing of access tokens values for storage

[jkakavas]

Since #39631 the access token string is part of the token document ID. We should move forward with the planned changes regarding the hashing of the access token string before it becomes part of the token document id in the same version also ( 7.1 ).
This is required so that potential read access to the token security index will not allow for authentication.

Relates: #37038 , #39631

[elasticmachine]

Pinging @elastic/es-security

[albertzaharovits]

Refresh tokens also require hashing.

I assume you mean unsalted hashes, given that Access Tokens have a max lifetime of 1h and Refresh Tokens of 24h hours, and that these id are randomly generated with ~120 bits of entropy.

[jkakavas]

Refresh tokens also require hashing.

I assume you mean unsalted hashes,

Correct, this will be implemented as designed and described in the original email. The fact that these will be unsalted doesn't have to do with the lifetime of the tokens but only with the bits of entropy that makes the computation and storage of rainbow tables impossible