Your above steps are valid. Here what you can do to expire the access token:
- When user press the Log-out button in application, Log-out button will call a web service to remove the access token
- You can set the session timeout for let say X hours. Call a Scheduler after X hours on server to remove the open access token.
- Update the access token key when same users login again without logging out.