We should keep refresh_token and access_token in redis for security matters

[pshaddel]

It has some security benefits,

• We have all the access tokens in redis, so in case we want to change something we can erase all and users should login again.
• At the time users is issuing a new access and refresh token we should destroy the existing refresh token and access token.
• At login we should destroy the access_token