question

XuKysonK-3446 avatar image
0 Votes"
XuKysonK-3446 asked ImtiazKhadim-8072 commented

How to revoke token

After I get the token value, what method can I use to cancel the token and invalidate the token, because before the token expires, it is possible to call our application interface through postman, but this situation should be prohibited

azure-ad-access-reviews
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @XuKysonK-3446 • Thank you for reaching out.

You can use the below graph call to revoke the Refresh token:

To revoke the refresh token of the signed-in user:

To revoke the refresh token of another user:

Alternatively, you can use below PowerShell cmdlets as well:

Note: You cannot revoke access tokens. Access tokens are short-lived and by default valid for 1 hour. However, when the refresh tokens are revoked, the application will not be able to redeem the refresh tokens (long-lived tokens) to acquire new access tokens.

You may also consider setting access token lifetime to a lower value than 1 hour (minimum supported value is 10 minutes and the maximum is 1 day). Refer to: https://docs.microsoft.com/en-us/azure/active-directory/develop/configure-token-lifetimes.

Read more: Access token lifetime


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your answer ,In other words, if within ten minutes (under the shortest token validity period), I can manually get the token value, and then call the interface through postman, is it allowed? If this is the case, we cannot pass our penetration test.

0 Votes 0 ·

@ XuKysonK-3446 · Yes, if Access token is within its validity period, it can be used. If you have set its validity to 10 minutes, it can be used within 10 minutes.
159675-image.png
Ref: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes#access-tokens


0 Votes 0 ·
image.png (24.2 KiB)

got it, thank you!

0 Votes 0 ·
Show more comments
AndiJones-3669 avatar image
0 Votes"
AndiJones-3669 answered ImtiazKhadim-8072 commented

To revoke a refresh token, send a post request to your domain. The /oauth/revoke endpoint revokes the entire grant, not just a specific token. Use the /api/v2/device-credentials endpoint to revoke refresh tokens.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your answer.

0 Votes 0 ·

@AndiJones-3669

I have get the access token in my daemon service using OAuth 2.0 Client Credential flow using following end point
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

Now my service wants to invalidate or logout the token how can I achieve this. Please help me on this. What is the token revoke end point?

Regards,
IK

0 Votes 0 ·