Revoke refresh tokens/session in Azure AD B2C

metalheart 361 Reputation points
2023-11-28T10:58:16.2666667+00:00

It seems like there are two MS Graph endpoints meant to invalidate refresh tokens and sessions:

I'd like to get clarity on

  1. What is the difference between these? Looks like the docs only says a part of the truth and in reality both of them reset the refreshTokensValidFromDateTime and signInSessionsValidFromDateTime user properties.
  2. Why is it that they do not work reliably? In below scenario, I have seen mixed results in their ability to prevent renewing the access token using the refresh token grant (sometimes the refresh token can be used successfully, sometimes error is thrown) and no success in invalidating the B2C user session

Scenario

  1. Get a B2C access+refresh token with the B2C sign-in flow and using the resulting authorization code against the token endpoint
  2. Invalidate the token via calling one of above MS Graph endpoints
  3. Verify user attributes have been reset:
    https://graph.microsoft.com/v1.0/users/{{ _.userIds.local }}?$select=refreshTokensValidFromDateTime,signInSessionsValidFromDateTime
  4. Wait 15 minutes (the docs for revokeSignInSessions say there might be a "small delay of a few minutes before tokens are revoked".)
  5. Attempt refreshing the token (Expectation: error)
  6. Navigate to the B2C sign-in flow in the browser where the authorization code has been acquired, without using login=prompt (Expectation: login screen is displayed)
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,753 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,461 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. 2023-11-29T02:00:05.0233333+00:00

    Hello @metalheart , refreshTokensValidFromDateTime and signInSessionsValidFromDateTime user properties store the same value. Deprecation of one of them has been discussed however there is nothing yet confirmed. Regarding your Azure AD B2C test, you're not getting the expected result since the session cookie does not get invalidated by the aforementioned MS Graph endpoints and thus allows a silent sign-in and (access) token issuance. To enable session invalidation with custom policies take a look to the A B2C IEF Custom Policy which invalidates all SSO session across all devices after the users refresh token has been revokedsample.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.