Graph API revokeSignInSessions in Azure AD B2C: have to call twice to completely revoke a refresh token

Phúc Trần 0 Reputation points
2023-05-11T03:50:58.6133333+00:00

I use Azure AD B2C. Now I'm trying to revoke refresh token using Graph API revokeSignInSessions to handle case of user logs out.

Following this link https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow#1-get-an-authorization-code, using postman, I do step by step:

Step 1: Get the code

GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize? client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 &response_type=code &redirect_uri=https://jwt.ms/ &response_mode=query &scope=offline_access%20https://{tenant-name}/{app-id-uri}/{scope} &state=arbitrary_data_you_can_receive_in_the_response

Step 2: Get refresh token by using the code from step 1

POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token

Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&scope=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6%20offline_access&code=code%20from%20step%201&client_secret=QHS8i~...

Step 3: Get new access token by using the refresh token

POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token

Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&client_secret=QHS8i~...&scope=openid%20offline_access&refresh_token=refresh%20token%20from%20step%202

I can get new access/id token from the refresh token. After that I revoke the refresh token by using Graph API revokeSignInSessions.

POST https://graph.microsoft.com/v1.0/users/{user_id}/revokeSignInSessions

Call api and wait after 5 minutes, 10 minutes, 15 minutes and even 30 minutes (for each test) and I can still get new acces token from the refresh token. I also try the Revoke sessions button on Azure portal and have the same result.

And the special thing is that when I call the revoke api for the second time, the refresh token is actually revoked (Includes original token refresh and next refresh token received after the first unsuccessful revocation)

Checked refreshTokensValidFromDateTime and signInSessionsValidFromDateTime properties, they are reset to current date and time as expected after calling the revoke action. Users who are logged in to the browser are also forced to log in again.

The only problem I see here is that I have to call the revocation API twice to actually revoke the refresh token. Is this a bug or am I doing it wrong somewhere. Please help me.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,186 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. 2023-05-16T13:38:02.09+00:00

    Hello @Phúc Trần , ensure you implement and leverage Single sign-out to remove invalidate/remove all session cookies. The revokeSignInSessions operation does not remove it so extra steps must be taken.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.