Oauth2 Revoke Tokens (RFC 7009)
Currently the only way to revoke a access token / refresh tokens is to ether for the user to remove the oauth app from they account or a oauth app to delete the app itself witch also revoke all tokens. If you have a access token leaked within the app you would need to revoke everything even if just one token was compromised. With the RFC 7009 it's a own spec ontop off the oauth2 spec that adds in a endpoint that allow to revoke just one token.
You also have the problem with client side apps that use implicit tokens. When the app/site ask to generate a implicit this token is valid for a year. If the user then want to logout off this site this token is still valid and often just deleted from the cookie / local storage. This open up for that a token that shuld have been revoked when the user told to "logout" is still valid and if someone catpured this token it's free to use whiout anyone knowing.
There are more info about this at https://tools.ietf.org/html/rfc7009
Other big API's like google has this.