question

Programmer-8552 avatar image
0 Votes"
Programmer-8552 asked Programmer-8552 answered

How to revoke a B2B Active Directory Refresh token?

We use Microsoft B2B Active Directory for a single page application we developed.
We would like to revoke the refresh token of a user when a user logs out.
To revoke the refresh token when a user logs out we found the following information.
https://docs.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http
Our plan was to call the ‘Revoke Sign In Sessions’ Microsoft graph method when the user logs out. When we perform the call we see that the ‘refreshTokensValidFromDateTime’ in the user’s profile is changed.
However, when we request a new access token with an old refresh token we still get a reply with a new access token. We expected the call to fail because the refresh token is revoked.
Why is the old refresh token still valid after the ‘Revoke Sign In Sessions’ call.
We saw that if you are using the B2C active directory you can create custom policies, but we couldn’t find anything anything else for the B2B Active directory.
We use the Authorization Code Flow to get an access and refresh token from https://login.microsoftonline.com/[tenantId]/oauth2/v2.0/token.

We then expect the call to the same URL to fail if the refresh token is revoked.

Thank you in advance.

azure-active-directoryazure-ad-openid-connect
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered amanpreetsingh-msft edited

Hi @Programmer-8552 · Thank you for reaching out.

I just tested revoking the Refresh Token using the graph call that you have mentioned and it is working as expected for me. Please find below the steps that I performed to test it out.

  1. Acquire Access and Refresh token using Authorization_Code grant flow:
    89376-image.png

  2. Redeemed Refresh token to acquire new Access and Refresh token pair.
    89299-image.png

  3. Revoked Refresh token for the user using revokeSignInSessions call along with Access Token in the Authorization header.
    89366-image.png

  4. Tried Redeeming same Refresh token again to acquire new Access and Refresh token pair and encountered AADSTS50173 error.
    89367-image.png

Custom Policies are only available for B2C and there are no plans for implementing the same for B2B.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (152.8 KiB)
image.png (158.8 KiB)
image.png (20.6 KiB)
image.png (34.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Programmer-8552 avatar image
0 Votes"
Programmer-8552 answered amanpreetsingh-msft commented

Hi,
Thank you for your reply. I am glad to see that it should work as I expected, however I did test it again and for me it doesn’t work so probably I’m doing something wrong.
Maybe you can help me figure out what I am doing wrong based on the following scenario.

I start by navigating to:
https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/authorize
?client_id={clientId}
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&state=12345

I get a correct response:
http://localhost/myapp/?code={code}&state=12345
&session_state=4ee9a2fc-e2e2-4a99-92af-b8756e614613#

Then I get the tokens based on the code
89514-gettokens.jpg


Then I get a correct response

 {
     "token_type": "Bearer",
     "scope": "email openid profile https://graph.microsoft.com/Mail.Read https://graph.microsoft.com/User.Read https://graph.microsoft.com/User.ReadWrite.All https://graph.microsoft.com/.default",
     "expires_in": 3599,
     "ext_expires_in": 3599,
     "access_token": "{AccessToken}",
     "refresh_token": "{RefreshToken}",
     "id_token": "{IdToken}"
 }

Then I look at the JWT Access Token to get the ID of the user
89532-id-from-access-token.jpg


Then I look at the profile of the user using the Id from the access token
89524-profile-before-revoking.jpg


Then I revoke the tokens
89525-revoked-tokens.jpg


I then again look at the profile to see the date has changed
89533-profile-after-revoked.jpg


Then I try to get a new access token based on the refresh token. Now I excepted the call to fail, but it gives me a new access token.
89534-still-getting-new-access-token.jpg

@amanpreetsingh-msft I Hope you can see what I am doing wrong.
Thank you in advance.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I see in your reply that you are using 'https://graph.microsoft.com/v1.0/me/revokeSignInSessions' instead of the id, but that also doesn't work for me.

0 Votes 0 ·

Hi @Programmer-8552 · I reviewed all the steps that you are performing but I don't see anything wrong. Could you please confirm if the OID in the access token is same as the one you are passing in revokeSignInSessions call? Also, can you try using Revoke-AzureADUserAllRefreshToken -ObjectId "OID_of_the_user" to revoke refresh token and check if that works?

1 Vote 1 ·
Programmer-8552 avatar image
0 Votes"
Programmer-8552 answered

Hi,
I now partially know what the problem is. It seems like it doesn’t work for accounts that have been invited to the tenant. I just created a new account in the tenant and for that account it works.
Is this the normal behavior or is there a solution? Thank you very much for your help. It is because of your reply that I knew it should be working, otherwise I would probably not have figured it out. So thank you very much.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.