When they create an access or refresh token using the username and password supplied, you can store the created token in a database with their username and a revoked status of
unrevoked. Then, when you want to actually revoke the refresh tokens, you can go to the database, find tokens that have been created by the given username, and update the revoked status in the database. Basically you are storing the tokens at creation time, instead of at revocation time, and checking the database to see if they have been revoked or not whenever the token is used.
Here is an example you could use to get started with this: https://github.com/vimalloc/flask-jwt-extended/tree/master/examples/database_blacklist