EntraID (AzureAD) OIDC implementation missing revocation_endpoint

Adam 10 Reputation points

Why doesn't Azure provide the revocation_endpoint for OIDC - or if it does, how to enable it?

If not - are there any plans to add it?

Is there any other way to revoke user's refresh_token along with access tokens, other than terminating all of their sessions using Graph API: https://graph.microsoft.com/v1.0/users/{user-uuid}/revokeSignInSessions ?

This is a serious security flaw of Azure, since

  1. unrevoked token can be used to obtain access tokens and maintain the session indefinitely
  2. currently revocation in Azure requires special implementation in the services that want to do it
  3. many clients cannot afford to terminate all of user's sessions just to revoke a single token

@Alfredo Revilla (MSFT)

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,522 questions
{count} votes