Allow "unauthorize" in broader scenarios

[aaronpk]

The description of "unauthorize" is currently:

The OP sends this command when it suspects a previous OpenID Connect ID Token issued by the OP was granted to a malicious actor.

I'm not sure if this was actually intended to be defined as such a limited scope, but I don't think this should be limited to "malicious actors". It should also be allowed for other situations such as if the OP determines a device has been compromised.

[dickhardt]

The intent was not to be limited, and if an OP has determined a user's device has been compromised, the authorize command would be appropriate.