OAuth token repository

When we introduced JWT, we stopped using the TokenRepository and validating tokens on the server.

At the moment, an OAuth JWT token cannot be revoked -- the token is valid until it expires and the expiration date is encoded in the token itself.

I think we need to be able to revoke OAuth tokens.