Somehow I managed to reduce default access token lifetime to 30 minutes. This made tokens to expire or invalid after 30 minutes. Now the problem is few users already got refresh tokens along with access token before and using those to get access token again after token expiration like
POST https://login.microsoft.com/tenantid/oauth2/v2.0/token?&client_id:appid&grant_type:refresh_token&refresh_token: refresh token&client_secret: client secret
I don't want this to happen. Removing offline_access
scope won't give refresh token anymore. But what about the refresh tokens that users already got. How to make those refresh tokens invalid so that users cannot use them to get access tokens that makes more secure. Even if they use, it should throw some error instead of giving access tokens.
How to make this happen? Anyone tried this before?
To invalidate all refresh tokens, you can make use of below query:
POST https://graph.microsoft.com/beta/users/<user_id>/invalidateAllRefreshTokens
I tried to reproduce the same in my environment and got below results:
I registered one Azure AD application and added API permissions by granting consent like below:
I got refresh token along with access token via Postman with below parameters:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:<appID>
grant_type:authorization_code
scope: offline_access user.read.all
code:code
redirect_uri: https://jwt.ms
client_secret: secret
Response:
Using this refresh token, I'm able to get access token like below:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:appID
grant_type:refresh_token
refresh_token: 0.AVYA_in0zaI3eUqOQHrbrD-FUv //paste the refresh token that I got above
client_secret:client_secret //Mandatory if client is web app
Response:
To revoke these refresh tokens, I ran below query in Graph Explorer by granting consent to required permissions:
POST https://graph.microsoft.com/beta/users/<user_id>/invalidateAllRefreshTokens
Response:
Now when I tried to get the access token
again with existing refresh token, I got error like below as refresh token is revoked:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:appID
grant_type:refresh_token
refresh_token: 0.AVYA_in0zaI3eUqOQHrbrD-FUv //paste the refresh token that I got above
client_secret:client_secret //Mandatory if client is web app
Response:
To do the same from PowerShell, you can make use of below command:
Revoke-AzureADUserAllRefreshToken -ObjectId <userID>
Reference: Revoke-AzureADUserAllRefreshToken (AzureAD)