Share via

How to rovke oauth token?

scarecrow kakashi 246 Reputation points
2022-08-31T08:04:17.65+00:00

I got a token and a refresh token following https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code .

I successful get token,the result show in the picture.
236486-1.png

I copied the results:
{"token_type":"Bearer","scope":"https://outlook.office.com/POP.AccessAsUser.All","expires_in":3600,"ext_expires_in":3600,"access_token":"EwAwA+l3BAAUnQP8Jfa2FYxR0AX7HsEZwOdWa28AAehfa9X3MG9vw5VXUzYUhibmOZeRkCfYdRaMWPz6YC72Ljw1TkfixIIKDPMIiQnC3JrM28eEQcZqo5WSj7gJceG1rW6Ai33+XoR7BYOii8EKmgVIbHe4jmXK7THTNwRjHpon8veQ3F3SLo9c2ojnjNJCjWugO3I5DqUCnQFCEGaVjoLDmaHc7b92mHduchp7TMs6UpI6OXCwG2saWoxNWPEjO710Ml6s1Pl6HyFe2hqhAgpJizxc+PdRKHLdU4d3vmClPFw7Lou5e23E51MqNijEH759xSP3NT3YUXsGaaKejhmEYXoeLNAlXJumRyAxT5T1V2Z5Rw2rA+wqChWlFZ8DZgAACBTYB8vcaix8AAJaiKuTGE2ET+NgcRtE6Xw1pPlckc1x5eIMi/uo2KU1qpVQCs+rKwf1gNzXVD7LcxyM9KcRAIcWK7hBAF80lDgJtPmrexa3Xc7Uvp9E6Jv6zgODhbQOu5BlGeMr8jZc1hQMgQ1EG9uQ7dAYoGyiBZbo0LVBsfKDPUGoji5Vk5NtwsJfO28THfkCsw/ndz8aK7ciE9v5dYH74LYdR2mGEu1i783GkcG8sfyR0191Pg1zLeRTlltNmFCRLZQNCIxRXvT+0fmfSPR2dMrS/kTiaQvyvjYfQT21pSUUZ/fi3isPIIBlG4F3NmZQkOn5rPZqEmeVzyfSSBGptFn05s439vSujhWX1SvHdIa/52Ar4FN+yuPgyfR+TruwfLHml5l+HFJanIz3Zu1pyqm2TzFr0IM2o/Wb+1K6Gr3Mudzm664EfVfl4M3HhTZFCqDrJ+KD3gAKkcrexIDj7lJHDGtdiUG0wZLyXOeOR4ZEuwbpye2ukWVo5LviYkyIzisPV+dyhubi0jiqm9N7h3ReQqlNorymZ3aSTfRocIvrvjuHCWJJu7Wy3NoJ1DYipxuBgcOjKIxyxPhQQHJx+DWxDDXjizYOjfXngXu6bwzuXGw+3PzaprnB+NzevH+VYLQ2cjujwN6J9JoLCwiaQIZNTnRJkc7S9mK60qotO2ePc33Tv4SbEkYC","refresh_token":"M.R3_BAY.-Cd5Xsk7YyLERQ!1sV3Qav6*CflXu*7B*1pLMBJXMLQzJOwBUCZp8!Bwf9egaENJwtn7sFesWMHay3fG1y0!yVCYld6anF61z6POB8A!h!cbi*4c2bEjVfM!cHC7B7N5ZL5RKSdj4KooTchHZ6mzPQvbVMXSuvq5NvfoE7HYH0LIUKCS4XXfhpXVufBjVtD53X!Uj!CyGBElsAtcNFM3oG9NNtEu57yfiwtMyTA9sLHZSgZeWHMJfbDQxhbTlaJ4CZUMm1ObOJ7vyNkV!UvmjJpHgFSeNT8B6mDTFrFanq0BDb5Q*Jp68diz0V4Xx*7CKBmEO4JUjidAe9j4u6Dnb9Sa6RQ1ZGeowhGJrkpzTo3ZH4p4vetPrRDmVwxL1WCpp!4Gy8WrW2MAYRglz0$","id_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImJXOFpjTWpCQ25KWlMtaWJYNVVRRE5TdHZ4NCJ9.eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTE4ODA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFBQUFBQUFQclc5NUJjeDdLR2VmTlhULU9jYzVJIiwiYXVkIjoiZmIzMDU1NDItZGMzOS00NzYwLWE4YWMtMmVlYmQ5MDk5ZGQ5IiwiZXhwIjoxNjYyMDE4OTY2LCJpYXQiOjE2NjE5MzIyNjYsIm5iZiI6MTY2MTkzMjI2NiwibmFtZSI6InNjYXJlY3JvdyBrYWthc2hpIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2NhcmVjcm93a2FrYXNoaUBob3RtYWlsLmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02YjZiLTVlZjhhNzI1MGIzOSIsImVtYWlsIjoic2NhcmVjcm93a2FrYXNoaUBob3RtYWlsLmNvbSIsInRpZCI6IjkxODgwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsImFpbyI6IkRhOE9oWVJmKlhJeTUzaTd1elFGVyF4S0RNY2pSTDhLVUJ2MHl6c0NBOTNFT3B4YTFzNDRBbXJwaE9LRVQqYnIqSlJwVlJRam9NWWlUalNOITdYVGNockZFbFZXbWI5QzRITFFRUEJRY0xaZ3ZNTzBpYipIUnNqdFVqUGtrR0k4U0R2cDdGdFVvamhTenZyMXI1NXZwdkUkIn0.kdYlnouY5ePGVJZ6OwkZ0Qx9cEYbYl7UxSa_X9XQX1CJpTsNGxRMKo2CsEnmHWc2gwwLX7KsPRCpwTz_5oRT2Q1EPWixzpHhf2DMlYUKDuXqzldR4CDgs578smVFFDwSTEmg-ZY5BCb16rTOCJjqVPI8-zF6ZxUyFYTMZH05N0ViP3tcIX7XFP6vA4TWjPpwTQ_5LQVmotH_GvBpDpZFKpQBfSQvbUlvFXioCXXwEytdnd9Pqg_ABRMCGg3kYwEt75p0VVUomDBslG2bEqW_vt5GpMFQJF9itu1ariAhdDh6fhaaCj07Fv5VAQNK_cYenOLHvoWJSwTmcJyzBAbYjg"}* Connection #0 to host login.microsoftonline.com left intact

Now i want revoke refresh token ,so i excute the folowing command but they all fail . So how can i revoke refresh token?

command 1
curl -H "Content-Type: application/x-www-form-urlencoded" https://graph.windows.net/myorganization/users/bW8ZcMjBCnJZS-ibX5UQDNStvx4/invalidateAllRefreshTokens?api-version=1.6

command 2
curl -H "Content-Type: application/x-www-form-urlencoded" https://graph.windows.net/myorganization/users/AAAAAAAAAAAAAAAAAAAAAPrW95Bcx7KGefNXT-Occ5I/invalidateAllRefreshTokens?api-version=1.6

command 3
curl -H "Content-Type: application/x-www-form-urlencoded" https://graph.windows.net/myorganization/users/fb305542-dc39-4760-a8ac-2eebd9099dd9/invalidateAllRefreshTokens?api-version=1.6

command 4
curl -H "Content-Type: application/x-www-form-urlencoded" https://graph.windows.net/myorganization/users/scarecrowkakashi[@](/users/na/?userId=ff0fe430-0000-0006-0000-000000000000).com/invalidateAllRefreshTokens?api-version=1.6

command 5
curl -H "Content-Type: application/x-www-form-urlencoded" https://graph.windows.net/myorganization/users/00000000-0000-0000-6b6b-5ef8a7250b39/invalidateAllRefreshTokens?api-version=1.6

command 6
curl -H "Content-Type: application/x-www-form-urlencoded" https://graph.windows.net/myorganization/users/9188040d-6c67-4c5b-b112-36a304b66dad/invalidateAllRefreshTokens?api-version=1.6

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,871 Reputation points Moderator
    2022-09-01T05:32:34.487+00:00

    Hi @scarecrow kakashi • Thank you for reaching out.

    In order to revoke all the refresh tokens for a given user, you can use Microsoft Graph API i.e., https://graph.microsoft.com. The graph calls that you have shared in your question are using Azure AD Graph i.e., http://graph.windows.net, which is the older version and is deprecated.

    I would suggest you use the below Graph call:

    • POST https://graph.microsoft.com/beta/me/invalidateAllRefreshTokens - for currently signed-in user.
    • POST https://graph.microsoft.com/beta/users/object_id_of_the_user/invalidateAllRefreshTokens - for currently signed-in or other users.

    Permissions required: User.ReadWrite, Directory.ReadWrite.All. Keep in mind that the above call must be made under user context and not application context (where the token is acquired using ClientID and ClientSecret via client_crendtials flow).

    Read more: user: invalidateAllRefreshTokens

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.