We use access_token and refresh_token technique.
access_token are very short-lived, where as refresh_token (which will be a copy of access_token except the expiry time) are relatively long lived.
Once access_token is expired refresh_token can be used to get a new set of tokens.
Now we maintain a list of invalidated refresh_token, registering them on logout.
- More secure than only access_token,
- We can implement sliding sessions.
- More optimal than blacklisting access_token (as this will query the db only when refresh_token is sent).