Reputation: 795
Refresh token revocation in Azure AD B2C
In my AD B2C application, i need to revoke the all refresh tokens given by AD B2C for a user. This is a requirement to implement as when user account is logged in multiple apps and in one app user changed the password. When password is changed, i have revoke all of his refresh tokens given to other apps. How to do that?
Update:
I have tried following,
B2C -Get Token By Policy
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/authorize
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6 and client credential flow(a application registered in AD blade of Ad B2C tenant and given access to graph api)
d)Above token revoke api call is successful and tried step (b).
e)still able to get new tokens from step(b)B2C -Get Token By Policy - Revoke using GA account
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/authorize
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6 and It is done by logged into graph api explorer using GA account created directly in tenant.
d)Above token revoke api call is successful and tried step (b).
e)still able to get new tokens from step(b)B2C -Get Token Without Poicy
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/authorize
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6 and client credential flow(a application registered in AD blade of Ad B2C tenant and given access to graph api)
d)Above token revoke api call is successful and tried step (b).
e)Not able to get new tokens from step(b)B2C -Get Token Without Poicy - Revoke using GA account
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/authorize
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6 It is done by logged into graph api explorer using GA account created directly in tenant.
d)Above token revoke api call is successful and tried step (b).
e)still able to get new tokens from step(b)
Basically not able to revoke the token created from b2c policy workflow.
Solution:
Refresh token revoke graph api is working. But it takes around 5 mins to do that.
But Problem here is in between waiting period, i am able to get new refresh token and access token and those new refresh tokens are working even after revocation. Which means Azure AD considered the requested time of refresh token revoke api call and revokes all refresh tokens issued before that time.
So how to avoid that?
When new access token is requested with offline scope using existing refresh token, why does Azure AD provide new refresh token even though existing refresh token has validity time.?
Upvotes: 4
Views: 5018
Answers (1)
Reputation: 14634
You can invalidate all of the refresh tokens for a specific user using the Azure AD Graph API:
POST https://graph.windows.net/myorganization/users/{user_id}/invalidateAllRefreshTokens?api-version=1.6
Azure AD Graph API will be deprecated. In the Microsoft Graph API, the documentation is here and the call is:
POST https://graph.microsoft.com/v1.0/me/revokeSignInSessions
Upvotes: 5
Related Questions
- Cannot make Azure B2C refersh token become invalid
- Getting Refresh Token in Azure B2C, with Azure AD App being the third party IDP
- Azure AD B2C - Refresh_Token refresh claims via REST (Identity Experience Framework)
- Getting refresh token after password reset in Azure AD B2C
- Refresh token revocation in Azure AD B2C Custom Policy
- Azure AD B2C Refresh Token/ID Token iOS Swift 4
- Revocation endpoint in Azure AD B2C
- Azure AD B2C Refresh Token Revoked 403
- Azure Active Directory B2C: how to refresh a token
- Revoke a refresh token on Azure AD B2C