EntraID (AzureAD) OIDC implementation missing revocation_endpoint
Adam
15
Reputation points
Why doesn't Azure provide the revocation_endpoint
for OIDC - or if it does, how to enable it?
If not - are there any plans to add it?
Is there any other way to revoke user's refresh_token
along with access tokens, other than terminating all of their sessions using Graph API: https://graph.microsoft.com/v1.0/users/{user-uuid}/revokeSignInSessions
?
This is a serious security flaw of Azure, since
- unrevoked token can be used to obtain access tokens and maintain the session indefinitely
- currently revocation in Azure requires special implementation in the services that want to do it
- many clients cannot afford to terminate all of user's sessions just to revoke a single token
Sign in to answer