Suggested way to handle deactivated users

[fliespl]

We are using oauth2 server to authorize our users into internal applications.

Till now - leaving employee was deactivated and his access_token + refresh_token removed (once access token expired after 3600 seconds he was logged out in internal applications).

I am curious if there is a better way to handle it. I.e. using UserChecker and fail to refresh token once deactivated user tries to refresh. Tokens would then expire naturally and clean itself within a command after specific time.