Hi @Michael Haggren , while Azure B2C does not have a "revoke" endpoint for tokens like GCP and Amazon do, there are a few ways that you can accomplish this.
One approach is to use a custom policy to force the user to log out after they have reset their password. You can do this by adding a "Logout" technical profile to your custom policy that is triggered after the user has successfully reset their password. The "Logout" technical profile should include the "revokeSignInSessions" endpoint with Microsoft Graph to revoke the user's tokens and force them to log out of all applications.
Here is an example of what the "Logout" technical profile might look like:
<TechnicalProfile Id="Logout">
<DisplayName>Logout</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="client_id">your_client_id</Item>
<Item Key="IdTokenAudience">your_client_id</Item>
<Item Key="revoke_tokens_endpoint">https://graph.microsoft.com/v1.0/users/{objectId}/revokeSignInSessions</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectId" />
</InputClaims>
<OutputClaims />
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
You can then add a "ValidationTechnicalProfile" to your password reset user journey that calls the "Logout" technical profile after the user has successfully reset their password. Here is an example of what the "ValidationTechnicalProfile" might look like:
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="LocalAccountWritePasswordUsingObjectId" />
<ValidationTechnicalProfile ReferenceId="Logout" />
</ValidationTechnicalProfiles>
This will ensure that the user is logged out of all applications after they have reset their password.
Please let me know if you have any questions and I can help you further.
If this answer helps you please mark "Accept Answer" so other users can reference it.
Thank you,
James