Invalidating Azure AD Bearer Token on LogOut

0
votes

Application Implementation Details - My application is structured as follows:

  1. MVC Web Application hosted on Azure Web App.
  2. Angular JS is used at the client side integrated with the web application.
  3. Services are hosted on Azure Service Fabric Cluster.
  4. Authentication is happening using Azure AD.

Service Fabric APIs are hit from angular js files as follows -

  1. After authentication from Azure AD, the bearer access token is received.
  2. This token is added as Authorization header in the AJAX request from js.
  3. The token is retrieved from the header in the API and validated.

Due to the above implementation, the bearer access token is retrievable from the developer tool in browsers. And using this token, unauthorized requests can be made to the APIs from tools like Postman etc. The default expiry of this token is 60 mins.

Problem Statement - I need to invalidate the token once the user logs out of the application. This is to prevent unauthorized access to the APIs.

Question - Need input on how to invalidate or expire this token? Or is there any other approach which can be used to solve this problem?

1
azureazure-active-directory
You are hitting the general problem of access tokens and their expiration. In general the best solution I've found is to just keep the token lifetimes smaller. If someone has such access to the machine that they can steal the token from the user's browser, any and all logins are compromised at that point anyway.juunas

1 Answers

0
votes

s> Question - Need input on how to invalidate or expire this token? Or is

there any other approach which can be used to solve this problem?

Upon the token is issued, you cannot invalidate the token until it expires. If you could make sure the use time, you could configure the token lifetime that is less than 1 hour. How to configure token lifetime, please read here.