Reputation: 11
passport-azure-ad, validation of tokens
This question is related to passport-azure-ad, does it parse & validate token?
I've tried to master using the passport-azure-ad module. I successfully log in my user with OpenID Connect, pick up the access_token and use it directly my REST API's which are secured by app.get('myapi',passport.authenticate('oath-bearer',
{failureRedirect: '/'}),
function(req,res){});
However, if i try to log out from the session created by OpenID connect, the token is still valid untill it expires (typically 3600 seconds).
I'm using the access_token to secure my endpoint not hosted behind a API Gateway at Microsoft, so i guess revocation of the access_token is not straight forward.
Is there any way i can check if the access_token is revoked using passport-azure-ad ? What is the best practise?
Upvotes: 1
Views: 758
Answers (1)
Reputation: 13918
According the description on Azure Document:
While directing the user to the
end_session_endpointwill clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their Facebook account entirely. However, in the case of local accounts, the user's session will be ended properly.
So you can directly use the end_session_endpoint. You can find it in the metadata document for the b2c_1_sign_in policy endpoint, e.g.:
As if you are using a common Azure AD application in v1, you also can find the end_session_endpoint in the metadata document at, e.g.:
https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/.well-known/openid-configuration
You can refer to Azure Active Directory B2C: Web sign-in with OpenID Connect for more info.
Any further concern, please feel free to let me know.
Upvotes: 1
Related Questions
- passport-azure-ad, does it parse & validate token?
- passport-azure-ad veriy msal.js token with Bearer Strategy
- oAuth 2.0 access token validation node.js
- Invalid passport authentication even after sending right token of Microsoft Graph
- Passport azure-ad Verify Callback not Called
- passport-azure-ad unable to validate `id_token` due to wrong KID
- Verify access_token provided by Azure Active Directory OAuth provider in Node.js
- passport-azure-ad Strategy.prototype.jwtVerify: cannot verify token
- Node Passport-azure-ad error: "unknown authentication strategy "oauth-bearer""
- nodejs -> OAuth2 Azure AD -> Error AADSTS50001