Or have really short lived tokens, requiring regular refresh, and don't worry about expiring them... you can then delete the refresh token so it can't be found requiring full re-auth if necessary.

OAuth2 + JWT is fine... just whitelist the algorithms you allow and use HTTPS for all communications, even internal.