I use Azure AD B2C. Now I'm trying to revoke refresh token using Graph API revokeSignInSessions to handle case of user logs out.
Following this link https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow#1-get-an-authorization-code, using postman, I do step by step:
Step 1: Get the code
GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize? client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 &response_type=code &redirect_uri=https://jwt.ms/ &response_mode=query &scope=offline_access%20https://{tenant-name}/{app-id-uri}/{scope} &state=arbitrary_data_you_can_receive_in_the_response
Step 2: Get refresh token by using the code from step 1
POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&scope=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6%20offline_access&code=code%20from%20step%201&client_secret=QHS8i~...
Step 3: Get new access token by using the refresh token
POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&client_secret=QHS8i~...&scope=openid%20offline_access&refresh_token=refresh%20token%20from%20step%202
I can get new access/id token from the refresh token. After that I revoke the refresh token by using Graph API revokeSignInSessions.
POST https://graph.microsoft.com/v1.0/users/{user_id}/revokeSignInSessions
Call api and wait after 5 minutes, 10 minutes, 15 minutes and even 30 minutes (for each test) and I can still get new acces token from the refresh token. I also try the Revoke sessions button on Azure portal and have the same result.
And the special thing is that when I call the revoke api for the second time, the refresh token is actually revoked (Includes original token refresh and next refresh token received after the first unsuccessful revocation)
Checked refreshTokensValidFromDateTime and signInSessionsValidFromDateTime properties, they are reset to current date and time as expected after calling the revoke action. Users who are logged in to the browser are also forced to log in again.
The only problem I see here is that I have to call the revocation API twice to actually revoke the refresh token. Is this a bug or am I doing it wrong somewhere. Please help me.