I'd propose an alternate (and simpler) solution: when we have a
token, avoid caching the access token.
So every request from an app for a token would result in a roundtrip to the token
endpoint, and a new access token being issued? That's abuse of refresh tokens, in my
opinion. Clients are supposed to use the tokens they've been issued for as long as
they can, and one of SSO's selling points is a secure token cache.