Microsoft Graph OAuth2 revoke/invalidate refresh token node.js

Question

I am trying to revoke a refresh token so that it cannot be used any further to obtain more access tokens via oauth2.

I am using simple-oauth2 nodejs library that wraps the requests to obtain access and refresh tokens. Once I have these tokens, I can use the access token to make graph.microsoft.com calls. When the token expires, I can obtain a new one. This library has a .revoke() method that takes a revoke url. I specify this as http://login.microsoft.com/common/oauth2/v2.0/logout but the refresh token is still valid.

According to https://support.office.com/en-us/article/Session-timeouts-for-Office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40?ui=en-US&rs=en-US&ad=US The Azure Active Directory: "An administrator can apply conditional access policies which restrict access to the resource the user is trying to access."

Is it possible to revoke using oauth2 request? I see this https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oidc which shows the oauth2 logout url /common/oauth2/v2.0/logout.

Answer 1

Azure Active Directory does not support or provide an endpoint for an application to revoke the refresh tokens. The recommended approach is to clear the token cache on logout to prevent the re-use of the token.

A similar post is here: Revoke a refresh token on Azure AD B2C

You can read more about the policies on token lifetimes of refresh tokens here https://learn.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes