Why doesn't Azure provide the
revocation_endpoint for OIDC - or if it does, how to enable it?
If not - are there any plans to add it?
Is there any other way to revoke user's
refresh_token along with access tokens, other than terminating all of their sessions using Graph API:
This is a serious security flaw of Azure, since
- unrevoked token can be used to obtain access tokens and maintain the session indefinitely
- currently revocation in Azure requires special implementation in the services that want to do it
- many clients cannot afford to terminate all of user's sessions just to revoke a single token
@Alfredo Revilla (MSFT)