A users token normally obtained via a “normal” oAuth flow (which is code flow) only has 4 hours of lifetime on it.
So you only really need to validate if you are accessing users data when they are “offline” which occuers when you make an API request for that data anyway. (course you may have a refresh token to use here but if you don’t retain that you can’t use it anyway). And it sounds like since you don’t do user actions on behalf of the user when not using your app. And on login to the app you fetch a brand new token, you don’t need to validate tokens for logged out users, as it sounds like you don’t retain those tokens on file.
Yes if you revoke the token when they logout, you don’t have a token to use to validate with.
In my opinion:
So really, you only need to do a validate check when the user loads a page on your website, since if you don’t retain the users access token in a database and it’s only retained in session.
You’ll “lose” the token when the session expires, or the use logs out (as you destroy the session)