Greetings,
We have a concerned manager asking us question about access and refresh token issued by AzureAD.
We have created an app that gives people the ability to check settings stored in an other system.
The developers of the app have given us the ability to sign in and out off the app on the device used, by removing the access and refresh tokens stored on the device. By removing the tokens on the device the manager in concerned that the stored (refresh) tokens (in AzureAD) can be misused by other people. The concern is more for the refresh token than the access token because the access token is far more short lived.
I was asked to make sure those tokens can not be retrieved or misused but I can't find any documentation about how the refresh tokens are stored within AzureAD.
I thought the tokens might be stored hashed within AzureAD (just like passwords) so the information could not be retrieved but I can't be sure.
Is there any documentation about this subject anybody can point me to?
I did find documentation about lifetime but not about method of storage.
Your help is much appreciated.
Regards, Sidney