in my next js application after user signup and redirect to my app their are steps they have to complete for requirement after they complete those steps from my backend using azure ad graph api i am updating the user claims so i need to expire the session and force to re-authenticate with existing user session without any user input so i can extract those claims from new token. how can i re-authenticate user in this way?
acquireTokenSilent()
always retrieve access token from cached
To expire the session and force to re-authenticate with the existing user session, you could directly logout AAD and then clear the cache.
Related
We are using msal-react library to login to Azure ADB2C. We support both externally federated users and "local" users, which are stored in our Azure ADB2C tenant. However, when my "local" B2C user signs out, even though I see tokens gone from the browser session storage, I am not asked for a password during next login and I am automatically logged in. When I close the browser it works, but not in the same browser session. Is this a bug in msal-react logout?
Any suggestions?
User is not prompted for a password after signing out from local B2C since the session cookie is still present. You can force re-authentication:
Adding the ?prompt=login to the /authorize request. Eg: https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize?prompt=login&...
Or
Configuring Azure AD B2C session behavior.
I have a file>new .net core web app which is using Azure AD for authentication which works fine out of the box.
I have a requirement to create some auth policies so I have the following code which check the groups in the users claims and sets up an "Admin" policy which I can use on my endpoints.
services.AddAuthorization(options =>
{
options.AddPolicy("Admin", policy => policy.RequireClaim("groups", "XXXXX"));
});
This works fine too. The problem is once the user is logged in, how can I:-
Revoke access if I needed to? (e.g. a user is removed from AD or has his access revoked)
Refresh the auth so that if there has been any change in claims, roles, groups etc, it is detected.
I took a look at https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access but it doesn't give much. It actually says "It's possible that the app may never send the user back to Azure AD as long as the session token is valid."
How is the best way to handle this?
To summarize the comments and post as an answer:
As I said in the comments, if you need to revoke a user's access rights, then you can do this by revoking the user refresh token. After revoking the user's permissions in Azure, then revoke the refresh token and redirect the user to the login page.
After the user is authenticated, he will receive the access token and the refresh token.
First, you need to revoke the user's refresh token. The lifetime of the refresh token is 90 days by default, so you need to revoke it during its lifetime. You can use AAD Power Shell:
Revoke-AzureADUserAllRefreshToken -ObjectId "a1d91a49-70c6-4d1d-a80a-b74c820a9a33"
But as far as I know, the access token cannot be revoked. The default expiration time of the access token is 1 hour. After 1 hour, the user will automatically lose access to AAD.
If you want to terminate user access immediately after the user permissions is revoked, you can try the continuous access evaluation provided by Microsoft, which helps ensure invalidation of access tokens in near real time. However, as the documentation says, this may cause security issues, so I think it is not the best method.
So I think the best way is: just revoke the refresh token, and then wait 1 hour for the access token to expire, the user will automatically lose access to AAD. Then refresh the authentication and redirect the user to the login page.
How to Get User Id_token of logged in user from azure ad without redirect using Client Id and Secret. we are trying oauth library authorize endpoint, but it redirects to call back url. We need just the Id_token of already logged in user.
You must ensure that your application is logged in and has received a refresh token.
Use your refresh token to get id_token directly without having to redirect the url again.
I am using vue-adal library in my VueJS application to connect to Azure AD.
AD Token valid for 1hr after login.
When my token expires i am unable to renew it from client side.
Is there any way to renew token from client side using VueJS or
Any other alternate approach can be used for this scenario?
Thanks,
Gowtham
Since you are using implicit flow, azure AD will not return refresh token in implicit flow for you to refresh the token. As per this documentation, here is the recommended approach for this.
A JavaScript application has another mechanism at its disposal for
renewing access tokens without repeatedly prompting the user for
credentials. The application can use a hidden iframe to perform new
token requests against the authorization endpoint of Azure AD: as long
as the browser still has an active session (read: has a session
cookie) against the Azure AD domain, the authentication request can
successfully occur without any need for user interaction.
I am using flicker PHP sdk phpFlickr-3.1 to access media content into a web application. I have successfully obtained the authentication token with required grants. I need to support the logout feature in web application. The logout from web application should either logout from yahoo account or it should revoke grants form authentication token.
Is there any API to logout / expire authentication token / remove grant permission from authentication token?
I'm not aware of an API to explicitly log out. However, you can simply discard the access token that you received from the OAuth workflow, once your access is complete. This will force your application to go through the workflow again, the next time your app needs access. Quoting from the docs, emphasis added:
After the user authorizes your application, you can exchange the
approved Request Token for an Access Token. This Access Token should
be stored by your application, and used to make authorized requests to
Flickr.