I am building an app that uses 'Login with Microsoft and everything works fine, except revoking the tokens. The flow is something as follows for logging in:
- Request to
https://login.microsoftonline.com/common/oauth2/v2.0/token
to get the access token and the refresh token. Everything works fine.
- Build the Graph client using the access token: this.graphServiceClient =
GraphServiceClient.builder()
.authenticationProvider(tokenCredentialAuthProvider)
.buildClient();
- Do some operations, for example, retrieving calendars: graphServiceClient.me().calendars().buildRequest().get()
Everything works fine.
- Revoke the refresh token when the user no longer wants to use my app. This is where things fail:
I tried both using the Graph client and doing the POST manual. Each time I get the same error.
method 1: this.graphServiceClient.me().revokeSignInSessions().buildRequest().post()
method 2: restTemplate.postForEntity("https://graph.microsoft.com/v1.0/me/revokeSignInSessions", request, String.class).getStatusCode()
The error is always a 404:
No HTTP resource was found that matches the request URI 'https://outlook.office365.com:444/profile/v1.0/users('CID:ada1129a0c4b4903')/profile/revokeSignInSessions?api-version=AGSV1-internal'.
I don't know what I am doing wrong, especially since fetching data (calendars, events, etc.) works. But the revokeSignInSessions does not.