Revoke OAuth refresh token API

scarecrow kakashi 246 Reputation points
2022-09-05T07:15:21.057+00:00

I got a token and a refresh token following https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code , but i can't revoke refresh token.

The revoke API is clearly defined in the RFC7009 document.
Links and screenshots are below:
https://www.rfc-editor.org/rfc/rfc7009
237737-11.png

Google's revoke API meet RFC7009
Links and screenshots are below:
https://developers.google.com/identity/protocols/oauth2/limited-input-device
237742-12.png

Does Microsoft have an interface that comply with RFC7009?
How to revoke a refresh token if there is no interface that comply with RFC7009?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,792 questions
0 comments No comments
{count} vote

Accepted answer
  1. Givary-MSFT 32,591 Reputation points Microsoft Employee
    2022-09-06T12:01:27.283+00:00

    @scarecrow kakashi Thank you for reaching out to us.

    You can use the below graph call to revoke the Refresh token:

    To revoke the refresh token of the signed-in user:

    POST https://graph.microsoft.com/v1.0/me/revokeSignInSessions

    To revoke the refresh token of another user:

    POST https://graph.microsoft.com/v1.0/users/object_id_or_upn_of_user/revokeSignInSessions

    Alternatively, you can use below PowerShell cmdlets as well:

    Revoke-AzureADSignedInUserAllRefreshToken

    Revoke-AzureADUserAllRefreshToken

    Let me know if you have any questions.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.