Using the Library msal4j I received a JWT token from Azure Active Directory and now, I would like to revoke that token. I didn´t find many information about how to do it.
Reference:
- https://learn.microsoft.com/en-us/machine-learning-server/operationalize/how-to-manage-access-tokens#revoke-refresh-tokens
Many thanks in advance
Juan Antonio
The reference you provided just applies to the refresh token from Machine Learning Server, if you want to revoke a specific refresh token from Azure AD, there is no such way currently, you can just revoke all the refresh token for a user.
You could use the options below:
Microsoft Graph - user: invalidateAllRefreshTokens (Not recommend to use it in the production env, it is a Beta version)
Azure AD Graph - Invalidate all refresh tokens for a user
Powershell command - Revoke-AzureADUserAllRefreshToken
BTW, as mentioned in the comment, this operation is performed (by the user or an administrator) if the user has a lost or stolen device typically, for logout, just redirecting the user to log out with AAD is enough.
Related
I have a file>new .net core web app which is using Azure AD for authentication which works fine out of the box.
I have a requirement to create some auth policies so I have the following code which check the groups in the users claims and sets up an "Admin" policy which I can use on my endpoints.
services.AddAuthorization(options =>
{
options.AddPolicy("Admin", policy => policy.RequireClaim("groups", "XXXXX"));
});
This works fine too. The problem is once the user is logged in, how can I:-
Revoke access if I needed to? (e.g. a user is removed from AD or has his access revoked)
Refresh the auth so that if there has been any change in claims, roles, groups etc, it is detected.
I took a look at https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access but it doesn't give much. It actually says "It's possible that the app may never send the user back to Azure AD as long as the session token is valid."
How is the best way to handle this?
To summarize the comments and post as an answer:
As I said in the comments, if you need to revoke a user's access rights, then you can do this by revoking the user refresh token. After revoking the user's permissions in Azure, then revoke the refresh token and redirect the user to the login page.
After the user is authenticated, he will receive the access token and the refresh token.
First, you need to revoke the user's refresh token. The lifetime of the refresh token is 90 days by default, so you need to revoke it during its lifetime. You can use AAD Power Shell:
Revoke-AzureADUserAllRefreshToken -ObjectId "a1d91a49-70c6-4d1d-a80a-b74c820a9a33"
But as far as I know, the access token cannot be revoked. The default expiration time of the access token is 1 hour. After 1 hour, the user will automatically lose access to AAD.
If you want to terminate user access immediately after the user permissions is revoked, you can try the continuous access evaluation provided by Microsoft, which helps ensure invalidation of access tokens in near real time. However, as the documentation says, this may cause security issues, so I think it is not the best method.
So I think the best way is: just revoke the refresh token, and then wait 1 hour for the access token to expire, the user will automatically lose access to AAD. Then refresh the authentication and redirect the user to the login page.
Simply put, i am following official Microsoft Documentation to fulfill a straight forward task of;
How to revoke an access token for a user so they can't request data from a mobile back end in azure
However, even following the provided guidance, nothing is happening.
I know there are policies that can be created in Azure with lesser time-spans but thought it would be possible to just revoke a users token.
Web apps seem to be catered for but not Client Apps.
Code Example:
Revoke-AzureADUserAllRefreshToken -ObjectId "a1d91a49-70c6-4d1d-a80a-b74c820a9a33"
Any advice is appreciated.
This command only revokes the RefreshToken which can be used to obtain a new AccessToken. It does not revoke AccessTokens. Applications are not validating every JWT access token against AAD every time, they only validate the signature. This is why access tokens are usually given out with a much lower lifetime than the refresh tokens.
Business Requirement:
We want to replace our Skype meeting URL with Teams meeting on our production system(within a ABAP daemon service without user integration). So I am trying to integrate with Teams using Microsoft Graph API to be able to generate one online meetings. Then this online meeting URL will send to our customer with a mail.
Target Graph API: For MS Graph API V1.0 verion, I think this in only one option Create onlineMeeting.(Graph API with /beta version is not a good option for production usage).
According the MS Graph documentation V1.0 Create onlineMeeting, this API only support permissions with Delegate type. I think we could only use use username/password authentication flow. Correct me if I'm wrong.
Issues: I'm trying to get token with user and password as describe with ROPC Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials, use following API to test it with my corporate mail.
POST /{{TennatId}}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
SdkVersion: postman-graph/v1.0
Content-Type: application/x-www-form-urlencoded
grant_type=password&client_id={{ClientId}}&client_secret={{ClientSecret}}&scope=https://graph.microsoft.com/onlineMeetings.ReadWrite&userName=MyCorporateMail#org.com&password=MyPassword
But, it will always get invalid_grant response: AADSTS50126: Error validating credentials due to invalid username or password.
I don't know why it cannot get token response with my corporate(work) mail/account **#sap.com, I'm sure my password and other parameters are correct.
And if I use a new-test-user sapse#wardsap.onmicrosoft.com which is created by Azure Active Directory, I'll get token successfully. This user doesn't need Two-Step authentication when login to Azure. But this user does have Teams/OnlineMeeting license, so it couldn't generate onlineMeeting.
My Question:
Will it possible caused by MFA configuration from my org? Because I noticed that every time I login to https://aad.portal.azure.com/, it has second authentication step, verify with my Phone message.
If yes, will it be possible to disable MFA to some test/dev account forever? Where should we config it? Within MS Azure or some where else? Who should I get support from?
For this Create onlineMeeting API, do we have other authentication flow for this Delegate permission type for a back-end daemon service?
Thanks and Best Regards,
Ward
MFA will definitely prevent you from using this authentication flow.
The Resource Owner Password Credentials flow and its use are discouraged.
There are many flows which are more secure, and usually you can use ones like authorization code flow to achieve what you want.
MFA is configured by your organization, you'll need to contact your IT about that.
But I would not recommend disabling MFA for this.
A back-end daemon application needs to either use application permissions or a refresh token.
If the API in question does not support application permissions, you can acquire a refresh token for a user through the authorization code flow, store it securely, and use it whenever you need a new token.
If you do this, be sure to overwrite the old refresh token with the new one that you get when you ask for an access token.
I need to write a backend app to read & write one company emailbox.
I have registered Active Directory Application and granted Delegated permissions (read and write to user mailbox).
Question is how to get the token needed for authenticate the graph api calls(for example ListMessages).
From the document I coundn't find any working example for backend app aquiring token and make api calls.
There are two endpoint versions:
Azure AD and Azure AD v2.0 endpoints;
And two authentication method:
1. Get access on behalf of a user
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_user
2. Get access without a user
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
What shoud I use ? Really confused.
Thanks all.
According to your description, I assume you want to get an access token without user login page.
Based on my test, we can get an access token that run as a background services or daemons.
It requires administrator to grant the access permission once, then user will not see login popup window anymore.
For more detail, we can refer to this official document.
Sounds like you are looking for Resource Owner Password Credentials grant flow.
However its usage is not recommended.
It does not work in these scenarios:
User has MFA
User password has expired
User is federated (MS account/Google/on-prem AD)
The only scenario that I can think of where this flow is okay is integration tests of APIs where you need to test scenarios where you call your API on behalf of a user.
Here is a better way to do what you want:
Require an application permission to access user emails and have the admin grant it. Now you can use client credentials grant flow to get a token anytime you need one.
Use delegated permissions, have the user sign in once with Authorization Code grant flow. Then exchange the code for an access token and a refresh token. Store at least the refresh token somewhere secure. Use refresh token whenever you need a new token.
The first approach is more reliable but requires broader permissions.
The second has tighter security (only users who have authorized access can have their email read), but has slightly less reliability.
Refresh tokens can be invalidated, in which case you'll need the user to login again.
I don't know if there is a solution to revoke a refresh token when :
- a user reset its own password with the reset password policy ?
- a user change its own password with a specific form based on Graph API ?
I think it must be implemented for security reason but I don't if it's possible for now and if not when will it be available ?
Thanks in advance
I found a similar questions to your question Costs of B2C and Refresh tokens.
The essential part of the answer from the other question is:
The log out the web application won’t revoke the token. Azure AD doesn’t support revoking the token at present. However, we can clear the token cache if you doesn’t want users to user the token.
I did some own tests using the Azure AD Graph API and was unable to get the refresh token to expire, even when resetting the password of the user accessing the resources.
As far as I know, there doesn't seem to be any way to expire the token at the moment, except for contacting Azure support and having them expire the token.