We are working on a web application. At client side we have Angular application that has integrated MSAL library for Azure AD authentication. At backend we have Asp .Net Core application that integrates MSFT Graph API service and sends http requests to Graph API on behalf of authenticated user. Main purpose for this Graph API requests is to manage App Roles assignments. So, our client side has UI for App Roles assignments management. Access token we receive from Azure AD contains set of assigned App Roles. Client side UI rendered according this set of App Roles (some menu items are hidden for low privileged roles). Current task is invalidate/revoke client side token once user's App roles set updated. Implemented steps: token lifetime decreased to 10 mins (minimal of allowed values). Right now we are trying to use RevokeSignInSessions method of Graph API. It seems to be working for Azure Portal but does not for our client side. Seems that portal has some special settings for handling tokens. Question: Is there any recommended way to go with such requirements?
1 Answers
0
votes
If you use Azure AD for authentication, you should get an access token and a refresh token.
If you wish to revoke the refresh token, you can use power shell: Revoke-AzureADUserAllRefreshToken, or AAD Graph API : POST https://graph.windows.net/{tenant id}/me/invalidateAllRefreshTokens?api-version=1.6 HTTP/1.1.
However, the access token cannot be revoked, and it will automatically expire after 1 hour.
