I have built a UI for managing users in the user store of Identity Server 4.
Users can have their accounts locked, and at that point i want to revoke any tokens that are persisted in the database for that user.
It's my understanding that to do this i would need to remove the persisted grants for that user in the db.
I'm using reference tokens in the client application, so by removing the tokens in the db, it will automatically unauthorize the users in the client applications as the reference to the token will be invalid.
Is this the right way to go about this?
If I understand you correctly you need to revoke a token prviously issued to a client, which would otherwise remain valid for a certain amount of time.
There is no need to remove the token from the database, Identity Server 4 already provides an API for it which implements RFC 7009. Note, that this is supossed to be used from a client and you need to perform client authentication.
Source: http://docs.identityserver.io/en/release/endpoints/revocation.html
You can use the token revocation endpoint to send a revocation request:
POST /connect/revocation HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token
If you need to lock out users locally on the Identity Server 4 host and you are using ASP.NET Identity you can use user lockout: http://www.jamessturtevant.com/posts/ASPNET-Identity-Lockout/