EntraID (AzureAD) OIDC implementation missing revocation_endpoint

Adam 15 Reputation points
2023-11-15T17:30:57.96+00:00

Why doesn't Azure provide the revocation_endpoint for OIDC - or if it does, how to enable it?

If not - are there any plans to add it?

Is there any other way to revoke user's refresh_token along with access tokens, other than terminating all of their sessions using Graph API: https://graph.microsoft.com/v1.0/users/{user-uuid}/revokeSignInSessions ?

This is a serious security flaw of Azure, since

  1. unrevoked token can be used to obtain access tokens and maintain the session indefinitely
  2. currently revocation in Azure requires special implementation in the services that want to do it
  3. many clients cannot afford to terminate all of user's sessions just to revoke a single token

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,798 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.