Reputation: 795
Refresh token revocation in Azure AD B2C Custom Policy
I have already put question Refresh token revoke and it works after 1-5mins.
But it works only for inbuilt policy(user flow) not for custom policy.
I have got refresh_token A from inbuilt policy and refresh_token B from custom policy.
Both tokens are received for same user in same tenant.
After executing revoke(Graph API), When i try to get new access and refresh token using refresh_token A, it fails. But when i try with refresh_token B(Received through custom policy), It still works. Able to get new tokens.
I had given 15mins time gap after revoke call.
Please help me fix this.
Upvotes: 0
Views: 2053
Answers (1)
Reputation: 14724
The Configure the resource owner password credentials flow in Azure Active Directory B2C using a custom policy article describes the custom elements that must be implemented to manage the refresh tokens and to test that an already-issued one hasn't been invalidated.
You must:
- Create the refreshTokenIssuedOnDateTime and refreshTokensValidFromDateTime claim types
- Create the AssertRefreshTokenIssuedLaterThanValidFromDate claims transformation
- Create the AAD-UserReadUsingObjectId-CheckRefreshTokenDate and SM-RefreshTokenReadAndSetup technical profiles
- Create the ResourceOwnerPasswordCredentials-RedeemRefreshToken user journey
- Refer to this user journey from the RefreshTokenUserJourneyId metaproperty of the JwtIssuer technical profile
By default, the clock skew is set to 0, but you can change this using the TreatAsEqualIfWithinMillseconds parameter of the AssertRefreshTokenIssuedLaterThanValidFromDate claims transformation:
<ClaimsTransformation Id="AssertRefreshTokenIssuedLaterThanValidFromDate" TransformationMethod="AssertDateTimeIsGreaterThan">
<InputClaims>
<InputClaim ClaimTypeReferenceId="refreshTokenIssuedOnDateTime" TransformationClaimType="leftOperand" />
<InputClaim ClaimTypeReferenceId="refreshTokensValidFromDateTime" TransformationClaimType="rightOperand" />
</InputClaims>
<InputParameters>
<InputParameter Id="AssertIfEqualTo" DataType="boolean" Value="false" />
<InputParameter Id="AssertIfRightOperandIsNotPresent" DataType="boolean" Value="true" />
<!-- Set the clock skew to 5 minutes (300000 milliseconds). -->
<InputParameter Id="TreatAsEqualIfWithinMillseconds" DataType="int" Value="300000" />
</InputParameters>
</ClaimsTransformation>
Upvotes: 5
Related Questions
- Refresh token revocation in Azure AD B2C
- Getting Refresh Token in Azure B2C, with Azure AD App being the third party IDP
- Increase refresh token lifetime in B2C custom policy
- Getting refresh token after password reset in Azure AD B2C
- Redeem refresh token in Azure AD B2C against any custom policy
- Revocation endpoint in Azure AD B2C
- Microsoft Graph OAuth2 revoke/invalidate refresh token node.js
- Azure AD B2C Refresh Token Revoked 403
- Azure Active Directory B2C: how to refresh a token
- Revoke a refresh token on Azure AD B2C