How to Revoke Token generated on Azure AD On Behalf user flow? - azure-active-directory

I am getting access token and then calling MS graph API , however i am not getting any API for revoking the access token /refresh token generated for specific account(used on behalf of user authorization flow).
Used the azure AD logout API which redirects to the logout URL but not exactly logging out of Office 365 account and can still able to generate the new access token using refresh token after logout. This should not happen.
Please suggest some solution.

It seems like your only option is here cmdlet Revoke-AzureADUserAllRefreshToken.
https://learn.microsoft.com/en-us/powershell/module/azuread/revoke-azureaduserallrefreshtoken?view=azureadps-2.0
Your case is also described in the Office 365 scope over here: https://www.michev.info/Blog/Post/1137/immediately-revoke-access-to-office-365-applications

Related

Azure B2C - renew session

I have a React app that uses Azure B2C to authenticate users (PKCE flow).
There is a requirement to keep the session active as long as the user has some activity.
I cannot use "Rolling" for session timeout, because some of the requests are made by an independent job, which is not triggered by the user.
Here is my question - how can I control renewing the session? I would like to renew the session every time I am getting the access token.
Access tokens and ID tokens are short-lived. Since you are using the Authorization-Code Grant flow of OAuth, after they expire, you must refresh them to continue to access resources .
Hence in order to get the refresh-token, you would have to send a POST request to the /token endpoint of B2C with the scope .(i.e; Provide the refresh_token instead of the code in the rquest).see reference 1.
Make sure to add scopes along with AppId 'openid profile offline_access AppId’
Ex: scope: 'openid profile offline_access XXXXXX-f9a4-4b8e-XXXX-dXXXXXXX01f'
References:
Authorization code flow - Azure Active Directory B2C | Microsoft
Docs
microsoft-authentication-library-for-js/FAQ (github.com)

Is Refresh Token relevant for OIDC IdentityServer Azure AD SSO Implementation?

I have an implementation of IdentityServer4 which connects with Azure AD for authentication (OIDC). In the callback method, using the IdentityServertools, I am generating the access_token and redirecting the user to SPA with the same. The SPA then stores the access_token into localstorage and uses it for authentication.
Normally, when my SPA app hits the token endpoint of the IdentityServer4, it gives access_token and refresh_token and then uses refresh_token to re-authenticate a returning user.
In this case of SSO with Azure AD, do I need to generate refresh_token manually? If yes, I can build on top of default implementation and that's not the problem (However, the docs suggest against of changing the IRefreshTokenService implementation or building something from scratch)
My real question is, is there a need of refresh_token here? Because refresh_tokens are stored in DB and never get's deleted and after sometime, these refresh_tokens table will swell (right now it already has 80k rows). The user is expected to click on a small tile inside SAP's Successfactor - that will open the signin/consent screen of Azure or will directly take the user to the main page where zhe will just answer a question and done. So it's hardly 2-3 mins business. So I can continue to generate access_tokens from my IdentityServer4 for every click as I don't expect the user to stay authenticated in the browser if zhe has logged out from SAP's Successfactor (or any other app linked with Azure).
Please advise, if I should generate refresh_token? Is it a good architecture?
Access token is used to prove the request is allowed to access the resource(such as api from ms or your custom api) and refresh token is used to refresh access token to make sure the access token isn't expired. Access token will expire in an hour by default and refresh token has 90 days.
At this point, we can easily find the refresh token is designed for some special scenarios because the expired time for refresh token is much longer than access token's expired time, but we can also generate a new access token in other way such as using msal or sign in again.
As you said in the question, you can generate an access token by one click and you don't expect users to stay authenticated for a long time. So I think it's unnecessary for you to use refresh token.

Refresh token revocation in Azure AD B2C

In my AD B2C application, i need to revoke the all refresh tokens given by AD B2C for a user. This is a requirement to implement as when user account is logged in multiple apps and in one app user changed the password. When password is changed, i have revoke all of his refresh tokens given to other apps.
How to do that?
Update:
I have tried following,
B2C -Get Token By Policy
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/authorize
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6
and client credential flow(a application registered in AD blade of Ad B2C tenant and given access to graph api)
d)Above token revoke api call is successful and tried step (b).
e)still able to get new tokens from step(b)
B2C -Get Token By Policy - Revoke using GA account
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/authorize
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6
and It is done by logged into graph api explorer using GA account created directly in tenant.
d)Above token revoke api call is successful and tried step (b).
e)still able to get new tokens from step(b)
B2C -Get Token Without Poicy
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/authorize
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6
and client credential flow(a application registered in AD blade of Ad B2C tenant and given access to graph api)
d)Above token revoke api call is successful and tried step (b).
e)Not able to get new tokens from step(b)
B2C -Get Token Without Poicy - Revoke using GA account
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/authorize
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6
It is done by logged into graph api explorer using GA account created directly in tenant.
d)Above token revoke api call is successful and tried step (b).
e)still able to get new tokens from step(b)
Basically not able to revoke the token created from b2c policy workflow.
Solution:
Refresh token revoke graph api is working. But it takes around 5 mins to do that.
But Problem here is in between waiting period, i am able to get new refresh token and access token and those new refresh tokens are working even after revocation. Which means Azure AD considered the requested time of refresh token revoke api call and revokes all refresh tokens issued before that time.
So how to avoid that?
When new access token is requested with offline scope using existing refresh token, why does Azure AD provide new refresh token even though existing refresh token has validity time.?
You can invalidate all of the refresh tokens for a specific user using the Azure AD Graph API:
POST https://graph.windows.net/myorganization/users/{user_id}/invalidateAllRefreshTokens?api-version=1.6

Azure client credentials grant oath not working in hybrid setup for Graph Mail API access

In hybrid setup if client credentials grant type is used to get token and if that token is used to get on-prem user messages (https://graph.microsoft.com/v1.0/users('onpremuser#onpremdomain.com')/messages/) using graph api it fails by providing UnknownError.
When debugged on IIS logs error shown was "This token profile 'V1S2SAppOnly' is not applicable for the current protocol." error_category="invalid_token".
However if authorization code grant or resource owner password credential (ROPC) grant if used to obtain token , we were able to get messages of on prem user using graph API.
Have attached screenshot of token for both. How to make client credentials grant work for on-prem user messages access using graph API (in hybrid setup) ?
Update
Update i went and edited web.config of rest in Exchange server to have V1S2SAppOnly in profiles. After that previous error is gone and new error is seen.
Bearer+client_id="00000002-0000-0ff1-ce00-000000000000",+trusted_issuers="00000001-0000-0000-c000-000000000000#ea6064aa-d6fc-48d3-abb8-1728e1f39e0b",+token_types="app_asserted_user_v1+service_asserted_app_v1",+error="invalid_token" 2000008;reason="The+token+should+have+valid+permissions+or+linked+account+associated+with+partner+application+'00000003-0000-0000-c000-000000000000'.";error_category="invalid_grant"
I think the problem is with the aud claim, i.e. the audience for token.
For the first token that you have shared
aud value is 00000002-0000-0000-c000-000000000000. This is the resource Id for Azure AD Graph API and not Microsoft Graph API. For Microsoft Graph API, you should be using https://graph.microsoft.com or Id 00000003-0000-0000-c000-000000000000
this token is probably the one where you used client credentials grant, as there isn't any user claim
For the second token that you have shared
aud value is https://graph.microsoft.com which is correct
this token is acquired in context of a user name anoop so I guess this is the one which is working for you.
What you want is:
Application with Client credentials => Graph API => Local Exchange.
This scenario isn't supported out-of-the-box, but you can however tell your local exchange server to accept those tokens. See this answer https://stackoverflow.com/a/56131954/639153
In a nutshell, you need to change the authentication config of your front-end exchange servers to accept client credentials from the graph api. By default only delegated credentials are supported, and these settings are not documented on the exchange side.
Warning, we tested these settings, and it's working but not supported by Microsoft
This is the blog where I've found the answer to your question. https://blog.thenetw.org/2019/05/13/using-client_credentials-with-microsoft-graph-in-hybrid-exchange-setup/

Access one SFDC org via token retrieved from another org

I have 2 salesforce orgs that I need to access via API from my Single page application.
The first org should work as my IDP, to authenticate my user (I am planning to use user-agent flow).
When I authenticate to my IDP org, I am getting an access token and an OpenID token. How can I use any of them to access the second org (also via API)?
So far it seems that I can use the ID token from the IDP to get an access token from the SP using the JWT bearer flow. Then use the access token from there onward.
But so far not sure if the ID token itself can be used instead of the access token to invoke the REST API in the SP. I have posted another question about this:
Can I authenticate to and use REST API using an ID token

Resources