I am trying to revoke a refresh token so that it cannot be used any further to obtain more access tokens via oauth2.
I am using simple-oauth2 nodejs library that wraps the requests to obtain access and refresh tokens. Once I have these tokens, I can use the access token to make graph.microsoft.com calls. When the token expires, I can obtain a new one. This library has a .revoke() method that takes a revoke url. I specify this as http://login.microsoft.com/common/oauth2/v2.0/logout
but the refresh token is still valid.
According to https://support.office.com/en-us/article/Session-timeouts-for-Office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40?ui=en-US&rs=en-US&ad=US
The Azure Active Directory: "An administrator can apply conditional access policies which restrict access to the resource the user is trying to access."
Is it possible to revoke using oauth2 request? I see this https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oidc
which shows the oauth2 logout url /common/oauth2/v2.0/logout.
Azure Active Directory does not support or provide an endpoint for an application to revoke the refresh tokens. The recommended approach is to clear the token cache on logout to prevent the re-use of the token.
A similar post is here: Revoke a refresh token on Azure AD B2C
You can read more about the policies on token lifetimes of refresh tokens here
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes
Related
I am using Azure AD B2C as my authentication.
We are currently building an SPA and have API Management as a backend API.
And I have access to API Management with an access token issued by B2C.
Here, we want to use user information in the SPA, so we are considering using the MsGraph API.
At this time, we also need an access token to access MsGraph. Can we use the same access token for MsGraph and APIM?
Can I use the same access token for MsGraph and APIM, or do I need to save both MsGraph and APIM access tokens?
If each access token is required, is a refresh token also required for each API?
You will need to get multiple tokens in AAD to access different resources. You can use a refresh token from one resource to request an access token for a second resource. I am guessing that you want to minimize access token refresh for multiple resources, so use the refresh token from one resource to get new access tokens from both.
https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens
I have a client with mobile apps that uses Azure AD B2C User flows for authentication.
There is a Policy for SignIn that has the Refresh token lifetime (days), this was set too low and we need to increase it.
If we change this policy setting, will it cause currently valid Refresh token's to expire or remain valid?
It is not listed as a reason in Token revocation
No, change the policy setting won't cause currently valid Refresh token's to expire.
The old refresh token will still be valid.
You can have a quick verification by using ROPC flow:
Acquire an access token/refresh token pair.
Change the Refresh token lifetime in ROPC user flow.
Use the refresh token above to acquire a new access token.
I am using vue-adal library in my VueJS application to connect to Azure AD.
AD Token valid for 1hr after login.
When my token expires i am unable to renew it from client side.
Is there any way to renew token from client side using VueJS or
Any other alternate approach can be used for this scenario?
Thanks,
Gowtham
Since you are using implicit flow, azure AD will not return refresh token in implicit flow for you to refresh the token. As per this documentation, here is the recommended approach for this.
A JavaScript application has another mechanism at its disposal for
renewing access tokens without repeatedly prompting the user for
credentials. The application can use a hidden iframe to perform new
token requests against the authorization endpoint of Azure AD: as long
as the browser still has an active session (read: has a session
cookie) against the Azure AD domain, the authentication request can
successfully occur without any need for user interaction.
I need clarification with sample or reference link for below items:
How to enable automatic renewal of access token?
How to get active access token and expiry time ?
Is there any possible ways to get Ad username, password and client id again from access token?
How to validate access token ?
It all needs to be implement in c# not in powershell.
How to enable automatic renewal of access token?
Upon successful authentication , Azure AD returns two tokens: a JWT access token and a JWT refresh token .When the access token expires, the client application will receive an error that indicates the user needs to authenticate again. If the application has a valid refresh token, it can be used to acquire a new access token without prompting the user to sign in again. If the refresh token expires, the application will need to interactively authenticate the user once again.
How to get active access token and expiry time ?
For how to authenticate users and get an Azure AD access token for your azure ad app , you could refer to Authentication Scenarios for Azure AD .The Azure Active Directory Authentication Library (ADAL) enables client application developers to easily authenticate users to cloud or on-premises Active Directory (AD), and obtain access tokens for securing API calls. ADAL is available on a variety of platforms. You could find code samples and common scenario in this document .
Is there any possible ways to get Ad username, password and client id again from access token?
You could get decode the access token , find the upn claim which Stores the user name of the user principal ; appid claim identifies the application that is using the token to access a resource. Please refer to document :Azure AD token reference .And of course ,you can't get password information .
How to validate access token ?
JWT tokens are signed, but not encrypted when received. It must validate the signature to prove the token's authenticity and validate a few claims in the token to prove its validity. The claims validated by an app vary depending on scenario requirements, but there are some common claim validations that your app must perform in every scenario.For example, we need to verify the iss and aud claim if you were developing a single tenant app. And you also need to verify the nbf to ensure the token is not expired. For more details , please refer to Validating tokens .
Here is a code sample for how to manually validating a JWT access token in a web API . And if you were using the OWIN components in your project, it is more easy to verify the token by using UseWindowsAzureActiveDirectoryBearerAuthentication extension , code sample here is for your reference .
I'm trying to create a script which connect to OneDrive (consumer) in order to get some file.
However, between consumer and enterprise and all those different azuread stuff I'm lost.
Is there a simple explanation on how do I get a token to access OneDrive in a daemon app?
To interact with OneDrive for the personal account, we can use the Microsoft Graph via acquiring the token form Azure AD V2.0 endpoint.
However, this endpoint doesn't support such scenario. The client credentials flow for Azure AD v2.0 endpoint only work for the organizational account.
As a workaround, you may consider get the access token and refresh token via the code flow and then using the refresh token to renew the access token. And you need to acquire the refresh token before it is expired. And based on the document the lifetime of refresh token for the personal account is up to 1 year(refer here).
And to acquire the access token and refresh token for OverDrive personal account you can refer the code flow from this document.