Reputation: 373
How to invalidate Jwt token received from azure ad
I have 2 apps one spring boot and another in angular. Currently I have integrated my application with azure ad and hence authenticating through it. Now the question here is when the user logs out from the front end app, how to invalidate the JWT token provided by Azure AD, if the token is not expired. Because, if someone is able to get the token despite user gets logged out, he can use that token to retrieve data from the backend. Any idea how to do this ?
Upvotes: 3
Views: 5960
Answers (3)
Reputation: 177
I wanted to share an Azure AD specific answer to this.
The issue your raising here is the same across the board for all Azure AD tokens. This includes first party apps by Microsoft (SharePoint, Word, Teams, Outlook). The default token expiry is 60 minutes for access tokens and 90 days for refresh tokens. Then you have other factors like MaxInactiveTime, MaxSessionAge etc that affect the refresh token's lifetime.
Microsoft toyed with the idea of configurable token lifetimes (see https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes) but it caused issues so they have dropped it in favour of using Conditional Access policies where the Azure AD tenant owner can specify tenant level sign in frequency). Note however this only applies to refresh tokens.
The access token is hard set to a 60 minute window after which it expires. It is the responsibility of the app developer to ensure the safety of the access token. The best practice is to always have it in memory and never write it to a permanent store or expose it over urls where it can be logged.
Upvotes: 0
Reputation: 15621
Your question is one that has got many people looking for a definitive answer. In short: there is no clear-cut answer. Sure, there are some options that kinda work, but none of them are fool-proof.
I think the answer to the SO question Invalidating JSON Web Tokens sums up your options best:
- Remove the token from the client
- Create a token blacklist
- Just keep token expiry times short and rotate them often
I've seen option 3 to be the most successful 'in the field'.
Upvotes: 5
Reputation: 58898
As far as I know, there is no way to invalidate an Id token / access token after it has been issued. You can invalidate refresh tokens though: https://learn.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http. Those do not apply to a front-end SPA though.
Upvotes: 0
Related Questions
- Validate Azure AD access token with spring security
- how destroy jwt token from spring boot backend
- Logout/invalidate a JWT
- Azure Active Directory JWT for API authentication within Angular 4
- Azure validating a JWT Token against the Azure B2C active directory
- How can I retrieve the azure AD JWT access token from Spring?
- How jwt token get reissued in azure ad OuthImplicitFlow
- Angular 2 SPA Azure Active Directory JWT Issue
- Azure SSO JWT token is still valid after signing out
- How to invalidate previous JWT token after refresh