Share via

The access token remains valid after calling the endpoint that sends the sign-out request. The access token can be used to access Azrue adb2c's protected Web API.

Ryu, Toutou (SEC) 45 Reputation points
2023-06-20T09:57:53.6533333+00:00

Dear Microsoft

Thank you for your assistance.

I have a technical question and would appreciate your guidance.

The following is the content of the question.

(1) Assumption

We are developing a service that uses AD B2C to perform authentication authorization by an external ID provider, but we have a problem regarding the behavior after signing out.

When the logout button is pressed from the client (web app), the endpoint that sends the Azrue adb2c signout request is called.

https://learn.microsoft.com/ja-jp/azure/active-directory-b2c/openid-connect

Send sign-out request

➁Azrue adb2c's general setup

1, Enable "Keep me signed in to the session" : Check

2, Keep me signed in to the session (days): 30

3, Require ID token for logout request ON

  1. Problem

The access token remains valid after calling the endpoint that sends the sign-out request. The access token can be used to access Azrue adb2c's protected Web API.

(4) Related detailed configuration values

GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/logout?id_token_hint=id_token

➄Question Content

Is there any way to disable the access token after logout and prevent access to the ADB2C Web API?

We apologize for your busy schedule, but we would appreciate your response.

Thank you in advance.

Translated with www.DeepL.com/Translator (free version)

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Accepted answer
  1. Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator
    2023-06-22T13:11:40.15+00:00

    @Ryu, Toutou (SEC)

    Thank you for posting your query on Microsoft Q&A.

    From above description I could understand that you are looking for a way a way to revoke access token when users hits Sign-out/Logout URI.

    Please do correct me if there is any discrepancy by responding in the comments section.

    The access token could not be revoked or invalidated. The only way is to set minimum life time of an access token. The minimum (inclusive) is 5 minutes.

    User's image

    This would enforce the session to renew the access token after every 5 min via refresh token.

    Also please be informed that user may not be able to use access token for any other B2C API.

    However Web API chains (On-Behalf-Of) is not supported by Azure AD B2C - Many architectures include a web API that needs to call another downstream web API, both secured by Azure AD B2C. This scenario is common in clients that have a web API back end, which in turn calls a another service. This chained web API scenario can be supported by using the OAuth 2.0 JWT Bearer Credential grant, otherwise known as the On-Behalf-Of flow. However, the On-Behalf-Of flow is not currently implemented in Azure AD B2C. Although On-Behalf-Of works for applications registered in Azure AD, it does not work for applications registered in Azure AD B2C, regardless of the tenant (Azure AD or Azure AD B2C) that is issuing the tokens.

    Apart from this you must configure the session behavior to most restrictive so that User's image

    Please do let me know if you have any queries by responding in the comments section.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.