The default UserTokenProvider generates tokens based on the users's SecurityStamp, so until that changes(like when the user's password changes), the tokens will always be the same, and remain valid.
So if you want to simply invalidate old tokens, just call:
manager.UpdateSecurityStampAsync(user);