Azure AD B2C Signout does not invalidate the token

Question

We are using MSAL library and invoking the end_session_endpoint url for logout, It is not invalidating the access token. If we use the same token after logout, it still works. Any fix for the same. Is there any particular way of doing the signout from web applications

Note: We see this issue in mobile as well with the library react-native-ios-android-appauth-b2c

Answer 1

The access token cannot be invalidated. It's a bearer token, so it can be used until its expiry by anyone holding it.

In your case there's probably no need to invalidate the token at logout. You can simply delete it on your end, making sure it's not persisted anywhere.

The end_session_endpoint endpoint you mentioned will only clear the B2C session cookie in the browser and the user state on the B2C server, which are not directly related to the access token.

Answer 2

That's as per the specification. Access tokens can't be revoked or invalidated.

It's documented here.

"Clients use access tokens to access a protected resource. An access token can be used only for a specific combination of user, client, and resource. Access tokens cannot be revoked and are valid until their expiry. A malicious actor that has obtained an access token can use it for extent of its lifetime. Adjusting the lifetime of an access token is a trade-off between improving system performance and increasing the amount of time that the client retains access after the user’s account is disabled. Improved system performance is achieved by reducing the number of times a client needs to acquire a fresh access token. The default is 1 hour - after 1 hour, the client must use the refresh token to (usually silently) acquire a new refresh token and access token."

Refresh tokens can be revoked.