Reputation: 521
Azure AD not invalidating access/refresh token if the user is locked out
We are implementing azure AD in a mobile app using ADAL libraries. Given this scenario:
the user has signed into the app - and has valid access and refresh tokens. The user doesnt sign out and from another app - say outlook, user enters password incorrectly multiple times so that the account gets locked out. Post that, go back to the app and we find that the access and refresh tokens are still valid and user can perform all operations which is a security violation. Ideally, when the user's account is locked, it should invalidate the access and refresh tokens. How to get this working properly.
Upvotes: 1
Views: 1672
Answers (1)
Reputation: 27528
The access token/refresh token will available in token's lifetime . Log out the web application and block the account won’t revoke the token .
Currently Azure Active Directory does not support or provide an endpoint for an application to revoke the access/refresh tokens.
You may read more about configurable token lifetimes in Azure Active Directory to check the policies on token lifetimes and adjust that base on your requirement .
Upvotes: 1
Related Questions
- Azure MSI forced token refresh
- Azure AD B2C Signout does not invalidate the token
- Refresh Token not Expiring AzureAD
- Windows Azure Active Directory - expiration of refreshtoken
- Azure - Obtain user refresh token fails
- In what situations will a refresh token be revoked/invalidated?
- Azure AD refresh token doesn't seem to expire even when token policy is set
- Getting refresh token after password reset in Azure AD B2C
- Azure refresh token expires despite using a confidential client
- How can the Azure Active Directory Authentication Service be forced to reissue an id_token with updated claims?