In my AD B2C application, i need to revoke the all refresh tokens given by AD B2C for a user. This is a requirement to implement as when user account is logged in multiple apps and in one app user changed the password. When password is changed, i have revoke all of his refresh tokens given to other apps.
How to do that?
Update:
I have tried following,
B2C -Get Token By Policy
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/authorize
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6
and client credential flow(a application registered in AD blade of Ad B2C tenant and given access to graph api)
d)Above token revoke api call is successful and tried step (b).
e)still able to get new tokens from step(b)
B2C -Get Token By Policy - Revoke using GA account
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/authorize
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6
and It is done by logged into graph api explorer using GA account created directly in tenant.
d)Above token revoke api call is successful and tried step (b).
e)still able to get new tokens from step(b)
B2C -Get Token Without Poicy
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/authorize
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6
and client credential flow(a application registered in AD blade of Ad B2C tenant and given access to graph api)
d)Above token revoke api call is successful and tried step (b).
e)Not able to get new tokens from step(b)
B2C -Get Token Without Poicy - Revoke using GA account
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/authorize
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6
It is done by logged into graph api explorer using GA account created directly in tenant.
d)Above token revoke api call is successful and tried step (b).
e)still able to get new tokens from step(b)
Basically not able to revoke the token created from b2c policy workflow.
Solution:
Refresh token revoke graph api is working. But it takes around 5 mins to do that.
But Problem here is in between waiting period, i am able to get new refresh token and access token and those new refresh tokens are working even after revocation. Which means Azure AD considered the requested time of refresh token revoke api call and revokes all refresh tokens issued before that time.
So how to avoid that?
When new access token is requested with offline scope using existing refresh token, why does Azure AD provide new refresh token even though existing refresh token has validity time.?
You can invalidate all of the refresh tokens for a specific user using the Azure AD Graph API:
POST https://graph.windows.net/myorganization/users/{user_id}/invalidateAllRefreshTokens?api-version=1.6
Related
I have a React app that uses Azure B2C to authenticate users (PKCE flow).
There is a requirement to keep the session active as long as the user has some activity.
I cannot use "Rolling" for session timeout, because some of the requests are made by an independent job, which is not triggered by the user.
Here is my question - how can I control renewing the session? I would like to renew the session every time I am getting the access token.
Access tokens and ID tokens are short-lived. Since you are using the Authorization-Code Grant flow of OAuth, after they expire, you must refresh them to continue to access resources .
Hence in order to get the refresh-token, you would have to send a POST request to the /token endpoint of B2C with the scope .(i.e; Provide the refresh_token instead of the code in the rquest).see reference 1.
Make sure to add scopes along with AppId 'openid profile offline_access AppId’
Ex: scope: 'openid profile offline_access XXXXXX-f9a4-4b8e-XXXX-dXXXXXXX01f'
References:
Authorization code flow - Azure Active Directory B2C | Microsoft
Docs
microsoft-authentication-library-for-js/FAQ (github.com)
I am getting access token and then calling MS graph API , however i am not getting any API for revoking the access token /refresh token generated for specific account(used on behalf of user authorization flow).
Used the azure AD logout API which redirects to the logout URL but not exactly logging out of Office 365 account and can still able to generate the new access token using refresh token after logout. This should not happen.
Please suggest some solution.
It seems like your only option is here cmdlet Revoke-AzureADUserAllRefreshToken.
https://learn.microsoft.com/en-us/powershell/module/azuread/revoke-azureaduserallrefreshtoken?view=azureadps-2.0
Your case is also described in the Office 365 scope over here: https://www.michev.info/Blog/Post/1137/immediately-revoke-access-to-office-365-applications
I am not able to redeem new tokens(access and refresh) using refresh token received against different policy token end point.
Received refresh token A from
https://tenant.b2clogin.com/tenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1a_signup.
Redeem token A against same endpoint(policy b2c_1a_signup) is working.
But If i redeem against different policy endpoint https://tenant.b2clogin.com/tenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1a_signin. is not working. (Policy b2c_1a_signin).
Our app is using totally 4 policies and it will get access and refresh token from all policies.
It is difficult store and map the refresh token against the policy.
Please help me find a way to redeem always against one token end point irrespective of token end point used to get token initially.
It isn't allowed to exchange a refresh token, which was issued for one policy, for an access token, which is to be issued for another policy.
You will have to save the policy identifier with the refresh token so that you can exchange this refresh token with that policy identifier.
We have implemented authentication as specified in the C# Teams Sample.Once the access_token expires we have to re-prompt the user to login.
Currently, the access_token expires in 1 hour.
Scopes:
https://graph.microsoft.com/User.Read
openid
Mail.Send
Sites.Read.All
When we request refresh token per the documentation, it gives an access denied error.
Is there a way to refresh the token instead of prompting the user to login again?
If you are using implicit grant after the token has been expired you should login again there will be no other option to get the access token.
If you use code grant then you will get RefreshToken along with AccessToken you can update get the new AccessToken using the RefreshToken. Please follow the link for Code grant implementation
I have 2 salesforce orgs that I need to access via API from my Single page application.
The first org should work as my IDP, to authenticate my user (I am planning to use user-agent flow).
When I authenticate to my IDP org, I am getting an access token and an OpenID token. How can I use any of them to access the second org (also via API)?
So far it seems that I can use the ID token from the IDP to get an access token from the SP using the JWT bearer flow. Then use the access token from there onward.
But so far not sure if the ID token itself can be used instead of the access token to invoke the REST API in the SP. I have posted another question about this:
Can I authenticate to and use REST API using an ID token