Azure B2C revoke refresh tokens

asked 2020-08-24T13:23:05.667+00:00
Charlie Horton 41 Reputation points

Hi,

I have recently started using Azure AD B2C for multiple applications within our group. The setup is going well but we have one issue, when a user uses the self-service password reset user flow, they are still able to use existing refresh tokens to generate access tokens and continue to access our applications (without re-authenticating with new password). As well as this, a similar issue is that if an admin was to use the block sign-in toggle within the portal, the user is also still able to use their existing refresh tokens to get new access tokens and continue to access our apps. It seems as if our refresh tokens are not being revoked or invalidated in any way. Any advice is appreciated, thanks very much!

Charlie

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,572 questions
Azure Active Directory External Identities
No comments
{count} votes

Accepted answer
  1. answered 2020-08-25T05:18:59.64+00:00
    AmanpreetSingh-MSFT 55,171 Reputation points

    Hi @Charlie Horton

    This is not a case with just B2C, you will experience the same issue with Azure AD and other identity providers as well and this is expected behavior.

    Continuous access evaluation can overcome this issue. Continuous access evaluation is implemented by enabling services (resource providers) to subscribe to critical events in Azure AD so that those events can be evaluated and enforced near real time. The following events will be enforced in this initial CAE rollout:

    • User Account is deleted or disabled
    • Password for a user is changed or reset
    • MFA is enabled for the user
    • Admin explicitly revokes all refresh tokens for a user
    • Elevated user risk detected by Azure AD Identity Protection

    Microsoft has been an early participant in the Continuous Access Evaluation Protocol (CAEP) initiative as part of the Shared Signals and Events working group at the OpenID Foundation. Identity providers and relying parties will be able to leverage the security events and signals defined by the working group to reauthorize or terminate access.

    Read more: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-continuous-access-evaluation

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


3 additional answers

Sort by: Most helpful
  1. answered 2020-08-25T05:34:06.013+00:00
    Alfredo Revilla (MSFT) 15,561 Reputation points Microsoft Employee

    You can use Azure AD Graph to Invalidate all refresh tokens for a user with a call similar to this:

       POST https://graph.windows.net/myorganization/users/{user_id}/invalidateAllRefreshTokens?api-version=1.6  
    

    Or you can use Azure AD Powershell with a call similar to this:

       Revoke-AzureADUserAllRefreshToken -ObjectId "<user_object_id>"  
    

    ---
    Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.


  2. answered 2021-09-17T03:47:58.903+00:00
    Thiet Ngo 1 Reputation point

    I got the same issue when integrating my React application with B2C.
    I was able to replay multiple times the refresh token request to get the new tokens in two cases:

    • User logged out.
    • Admin Revoked sessions in B2C user portal.

    Not sure if this is an issue from B2C or anything wrong from my configurations?

    No comments

  3. answered 2021-10-19T17:35:35.147+00:00
    mistry mehul 1 Reputation point

    @Thiet Ngo

    Graph API revoke sessions resets Azure AD user attribute signInSessionsValidFromDateTime & refreshTokensValidFromDateTime.

    However, it seems that Azure AD B2C does not honor these attributes by default for policy sign in (i.e. user can still sign in if B2C session is alive) and renewing access tokens.

    Custom policy must store sign in time in session, and compare it with signInSessionsValidFromDateTime on policy execution - refer sample policy.

    The JWT issuer technical profile supports metadata attribute RefreshTokenUserJourneyId to define policy to execute for token refresh. This policy could validate whether refresh token issued date is past the user attribute refreshTokensValidFromDateTime value and reject those requests.
    Refer ROPC flow which checks refresh tokens are valid, however not sure whether custom refresh token policy is also honored for Authorization Code flow token refresh as well.

    No comments