This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I am building an app that uses 'Login with Microsoft and everything works fine, except revoking the tokens. The flow is something as follows for logging in:
https://login.microsoftonline.com/common/oauth2/v2.0/token to get the access token and the refresh token. Everything works fine.Everything works fine.
I tried both using the Graph client and doing the POST manual. Each time I get the same error.
method 1: this.graphServiceClient.me().revokeSignInSessions().buildRequest().post()
method 2: restTemplate.postForEntity("https://graph.microsoft.com/v1.0/me/revokeSignInSessions", request, String.class).getStatusCode()
The error is always a 404:
No HTTP resource was found that matches the request URI 'https://outlook.office365.com:444/profile/v1.0/users('CID:ada1129a0c4b4903')/profile/revokeSignInSessions?api-version=AGSV1-internal'.
I don't know what I am doing wrong, especially since fetching data (calendars, events, etc.) works. But the revokeSignInSessions does not.
Hi,
The revokeSignInSessions will revoke all refresh tokens and requires some global admin rights.
Maybe you requested all needed rights because the error you receive is not related to permisions.
I think a better way to sign out would be to just call the logout endpoint:
Hope this helps!
This is not what I am actually trying to achieve. The user logged in in my app and I am using the refresh token to get a new access token. This access token is than used, without user interaction, to retrieve data from the user's account (for example, meetings in the calendar). Now, in case off a compromised token, or if the user no longer wants to give me access, I need a way to invalidate the refresh and access tokens, again, without user interaction.
Obviously, I can delete the tokens from y system, but if the token was compromised (ex: DB dump) I want to invalidate it so that the attacker can't use it.
Ok. So revoking the session does not work for personal accounts. In this case, how do I revoke the refresh token in case is gets compromised for the users logged into my app?
As per the error message, you are facing this issue because you are using Personal Microsoft Account while using this Graph API and as per the documentation this Graph API does not support Personal Microsoft account. I was able to replicate this with my Personal account. Please make sure you are using work or school account while using this Graph API.
Hope this helps.
If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.
If it is not supported, how do I revoke the refresh token in case it gets compromised?
This is an expected error, and this API doesn't revoke sign-in sessions for external users, because external users sign in through their home tenant.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.