single-use JWT access_token

Sworna M Dunant 26 Reputation points
2021-07-22T00:45:51.393+00:00

what are the steps to obtain a single-use JWT token from Azure AD, the current token has an expiry of 3600 seconds and I would like to obtain a token which can only be used once.

Our Application document states that a value of at_use_nbr : 1 be sent in the payload.

at_use_nbr: The value of this assertion must be 1. The value 1 indicates that you can log in to the web client only once using this token.

Do I have to add a custom attribute to achieve this? Is there a better way of doing this?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,714 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,601 Reputation points
    2021-07-22T03:10:13.05+00:00

    Hi @Sworna M Dunant · Thank you for reaching out.

    As far as I know, at_use_nbr is not supported by Azure AD, which is why it is not documented under Restricted claim set or Optional claims set and creating a customer attribute for at_use_nbr won't help.

    Best you can do as of now, is set the Access token lifetime to its minimum value i.e., 10 Minutes. For this purpose, you need to perform below steps:

    1. Create a token lifetime policy : $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
    2. To see your new policy, and to get the policy ObjectId : Get-AzureADPolicy -Id $policy.Id
    3. Assign the policy to your service principal by performing below steps.
    4. Get ID of the service principal : $sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '<service principal display name>'"
    5. Assign policy to a service principal : Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.