revokeSignInSessions not revoking session cookies

Morten Østerlund Jørgensen 26 Reputation points

I haven't had any success revoking the B2C session cookies with /users/{id}/revokeSignInSessions endpoint. I can see that it actually updates the "refreshTokensValidFromDateTime" property, so probably not a permission issue. Rejecting refresh tokens from before that date in a custom policy during sign in has no effect. I guess the custom policy is not even being run because the session cookie is still valid. It also seems not to have an effect in the default signin user flow.

It is an issue in particular in combination with Keep Me Signed In and revoking access globally (not only in the current browser, so calling /logout endpoint not an option). Lowering access token or cookie lifetime, or changing SingleSignOn Scope attribute is not an option. Changing the user's password does not invalidate the cookie either. Only way to invalidate the cookies seems to be to set Scope=Policy and forcing that user to a different policy or disabling the user. Then leave it like that until cookie expires (after days specified in SingleSignOn KeepAliveInDays attribute).

Am I doing something wrong?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,716 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Jas Suri 91 Reputation points Microsoft Employee

    The Graph API command to revoke the session in respect to Azure AD B2C does not invalidate the B2C users session cookie. It only sets the refreshTokenLastValidFrom timestamp to the current time.

    When using a SPA app, .Net App with PKCE flow, the users access token expiration will determine when the refresh token is subsequently used. If this exchange fails due to the /revoke endpoint being called, the user is asked to login again.

    When the user is asked to login again, the Azure AD B2C web session sso cookies may give SSO if present and valid, as you note. Otherwise the user is asked to reauthenticate. You can force the behavior slightly by passing 'prompt=login' as part of the loginRedirect() method to clear the cookies in this scenario (when refresh token call fails).

    You can also reduce the web session SSO liftetime such that the cookie is valid for a shorter period of time, somewhat mitigating how long the user may still have access without reauthenticating after the /revoke endpoint is called.

    Be aware, that the refresh token in the SPA PKCE flow is only valid for 24 hours, and reducing the web session SSO lifetime will also effect users who have not had the /revoke endpoint called against them. For example if the user visits another application, they may not get SSO due to the shorter cookie lifetime.

    1 person found this answer helpful.