Auth: Token invalidation #15
Description
Since our ootb validation is solely based on JWT validation we need to invalidate tokens when things like a permission change happens.
One approach would be making tokens very short-lived.
Another would be invalidating all tokens before a certain time.
Both requires some sort of refresh flow. Either with a refresh token or by providing the previous token.