single-use JWT access_token

Question

what are the steps to obtain a single-use JWT token from Azure AD, the current token has an expiry of 3600 seconds and I would like to obtain a token which can only be used once.

Our Application document states that a value of at_use_nbr : 1 be sent in the payload.

at_use_nbr: The value of this assertion must be 1. The value 1 indicates that you can log in to the web client only once using this token.

Do I have to add a custom attribute to achieve this? Is there a better way of doing this?

Answer 1

Hi @Sworna M Dunant · Thank you for reaching out.

As far as I know, at_use_nbr is not supported by Azure AD, which is why it is not documented under Restricted claim set or Optional claims set and creating a customer attribute for at_use_nbr won't help.

Best you can do as of now, is set the Access token lifetime to its minimum value i.e., 10 Minutes. For this purpose, you need to perform below steps:

1. Create a token lifetime policy : $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
2. To see your new policy, and to get the policy ObjectId : Get-AzureADPolicy -Id $policy.Id
3. Assign the policy to your service principal by performing below steps.
4. Get ID of the service principal : $sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '<service principal display name>'"
5. Assign policy to a service principal : Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.