Invalidating Azure AD issued JWT Access tokens on user logout

Question

Hi - One of my customer has a use case where they need to invalidate the JWT Access token when the user signs out of the application. Today, they are only deleting the tokens from the browser but if someone gets the token, they can still access the API until the token expires. The details on the customer's use case are as below

"We have a Web application (uses Ajax) which uses API calls to different but related application. The returned JSON is presented by the web application.

Web user login and gets refresher access token and access token from Azure AD. These tokens are used to access the API. No other session management is used.

Signing off function developed for the Web application is just clearing the tokens from the local browser and not invalidating the JWT tokens since “Microsoft systems won’t be invalidating the access token”".

They are looking for our recommendations for an industry standard for “Web+API” application.

Looking at previous answers on a similar topic, I found that the only recommendation is to reduce TTL for the access tokens but would like to get some expert opinion on this topic. Please let me know.

Answer 1

Hello, Azure AD can invalidate access tokens trough Continuous access evaluation. For more information on how to enable your API and clients take a look at How to use Continuous Access Evaluation enabled APIs in your applications.

Continuous access evaluation revokes access token in response to events such as as an admin revoking a user refresh tokens. This can be coded into your application during logout, ideally after the application reuqtes Azure AD to clear out the Azure AD user session (trought the logout endpoint).

Alternatively, and since token are issued per API and validation is part of an API duties, you may develop token invalidation and tracking in your very same API.

Let us know if you need additional assistance. If the answer was helpful, please accept it