I don't know if there is a solution to revoke a refresh token when :
- a user reset its own password with the reset password policy ?
- a user change its own password with a specific form based on Graph API ?
I think it must be implemented for security reason but I don't if it's possible for now and if not when will it be available ?
Thanks in advance
I found a similar questions to your question Costs of B2C and Refresh tokens.
The essential part of the answer from the other question is:
The log out the web application won’t revoke the token. Azure AD doesn’t support revoking the token at present. However, we can clear the token cache if you doesn’t want users to user the token.
I did some own tests using the Azure AD Graph API and was unable to get the refresh token to expire, even when resetting the password of the user accessing the resources.
As far as I know, there doesn't seem to be any way to expire the token at the moment, except for contacting Azure support and having them expire the token.
Related
We are using Azure Active Directory B2C to authenticate users into our app, we use a user flow to let the user enter their credentials. after receiving the access token from azure we generate an app token that contain app related information.
we recently added the keep me sing in feature but it seems that there is no way to know in the response if the user has checked it or not? even the returned access token still expires after 60 minutes. this causes a problem for us since our app logs-out the user automatically after the token time's out. but if the user choose to stay signed in we want to stop this behaver. SO how can we tell if the user checked the keep me signed in?
I've read a lot in Microsoft docs and searched a lot with no luck to find a way!
the one thing I found was a KMSI attribute but it can only be added in custom policy's. witch is kinda hard to do now.. is there a way to get such an indicator from the user flow?
You can get the KMSI Boolean in the token using custom policies and claims resolvers.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview
However, this shouldn’t be needed in your scenario. When access token expires, the refresh token is used to redeem a new access token. If the refresh token is expired, then the B2C cookie is used to perform single sign on via the B2C login page.
The user is only logged out if all of the above are expired/invalidated.
More to read here What does KMSI in Azure B2C actually DO?
I have a file>new .net core web app which is using Azure AD for authentication which works fine out of the box.
I have a requirement to create some auth policies so I have the following code which check the groups in the users claims and sets up an "Admin" policy which I can use on my endpoints.
services.AddAuthorization(options =>
{
options.AddPolicy("Admin", policy => policy.RequireClaim("groups", "XXXXX"));
});
This works fine too. The problem is once the user is logged in, how can I:-
Revoke access if I needed to? (e.g. a user is removed from AD or has his access revoked)
Refresh the auth so that if there has been any change in claims, roles, groups etc, it is detected.
I took a look at https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access but it doesn't give much. It actually says "It's possible that the app may never send the user back to Azure AD as long as the session token is valid."
How is the best way to handle this?
To summarize the comments and post as an answer:
As I said in the comments, if you need to revoke a user's access rights, then you can do this by revoking the user refresh token. After revoking the user's permissions in Azure, then revoke the refresh token and redirect the user to the login page.
After the user is authenticated, he will receive the access token and the refresh token.
First, you need to revoke the user's refresh token. The lifetime of the refresh token is 90 days by default, so you need to revoke it during its lifetime. You can use AAD Power Shell:
Revoke-AzureADUserAllRefreshToken -ObjectId "a1d91a49-70c6-4d1d-a80a-b74c820a9a33"
But as far as I know, the access token cannot be revoked. The default expiration time of the access token is 1 hour. After 1 hour, the user will automatically lose access to AAD.
If you want to terminate user access immediately after the user permissions is revoked, you can try the continuous access evaluation provided by Microsoft, which helps ensure invalidation of access tokens in near real time. However, as the documentation says, this may cause security issues, so I think it is not the best method.
So I think the best way is: just revoke the refresh token, and then wait 1 hour for the access token to expire, the user will automatically lose access to AAD. Then refresh the authentication and redirect the user to the login page.
Using the Library msal4j I received a JWT token from Azure Active Directory and now, I would like to revoke that token. I didn´t find many information about how to do it.
Reference:
- https://learn.microsoft.com/en-us/machine-learning-server/operationalize/how-to-manage-access-tokens#revoke-refresh-tokens
Many thanks in advance
Juan Antonio
The reference you provided just applies to the refresh token from Machine Learning Server, if you want to revoke a specific refresh token from Azure AD, there is no such way currently, you can just revoke all the refresh token for a user.
You could use the options below:
Microsoft Graph - user: invalidateAllRefreshTokens (Not recommend to use it in the production env, it is a Beta version)
Azure AD Graph - Invalidate all refresh tokens for a user
Powershell command - Revoke-AzureADUserAllRefreshToken
BTW, as mentioned in the comment, this operation is performed (by the user or an administrator) if the user has a lost or stolen device typically, for logout, just redirecting the user to log out with AAD is enough.
I have a question about the tokens regarding Azure AD and multi-factor authentication (MFA).
So I have managed to look into what happens with tokens when they are sent for a user with and without MFA enabled.
What I observed is that in the payload of the token there is an extra claim in the: "amr": [] tag. By default there is a 'pwd' in that object, but with MFA there is also a claim called 'mfa'.
So now I know that somehow the token gets modified depending on the enabled options.
Is there some other claim or mechanism to obtain a specific ID for the device that the token was issued to. A device ID that potentially relates to its regustration through "Workplace Join" in Azure AD or through the Microsoft Authenticator App?
Is there a separate token being sent related to the Application Pass that is continuously talked about in the forums and documentation?
--------------------------Update---------------------------------
Ok so reading the application password, it's basically used as another form of authenticating the multi-factor authentication. And I guess it gets stored both on Azure AD and also on the phone somewhere inside the Authentication app.
So another question, is it possible to access this password from code?
There is no such claim about the device information in the id_token issued by Azure AD. You can refer all the claims in id_token from links below:
Azure AD token reference
Azure Active Directory v2.0 tokens reference
is it possible to access this password someone from code?
As far as I know, there is no such API like Azure Graph REST we can retrieve the password. And if you any suggestion about MFA, you can submit them from link here.
I'm trying to set up an Azure Web App to to authenticate with Azure AD and refresh ID Token behind the scenes automatically.
A great blog post helped me understand how the whole thing works:
https://cgillum.tech/2016/03/07/app-service-token-store/
And this guide linked from it helped me set it up:
http://cgillum.tech/2016/03/25/app-service-auth-aad-graph-api/
It seems enabling refresh tokens for Azure AD authentication isn't that simple so as recommended I used the aforementioned guide to set it up as if it were for GraphApi.
The problem I'm having is even after calling the ".auth/refresh" endpoint and then calling the ".auth/me" endpoint, the only token which is refreshed is the Access Token. That token is of no use to me since I use the Id Token when communicating with my backend server (using an "Authorization Bearer" header).
So how do I get the Id Token to refresh as well?
Unfortunately AAD does not support refreshing the ID token. Only the access token can be refreshed. See here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-oauth-code/#refreshing-the-access-tokens
But even if it could be refreshed, it's more correct to use an access token when authenticating with another service, so I suggest changing your apps to work this way. The claims on the access token and the id_token are very similar so it should not be a very disruptive change.