How to make all refresh tokens invalid for getting access token to make it more secure
Somehow I managed to reduce default access token lifetime to 30 minutes. This made tokens to expire or invalid after 30 minutes. Now the problem is few users already got refresh tokens along with access token before and using those to get access token again after token expiration like
POST https://login.microsoft.com/tenantid/oauth2/v2.0/token?&client_id:appid&grant_type:refresh_token&refresh_token: refresh token&client_secret: client secret
I don't want this to happen. Removing offline_access scope won't give refresh token anymore. But what about the refresh tokens that users already got. How to make those refresh tokens invalid so that users cannot use them to get access tokens that makes more secure. Even if they use, it should throw some error instead of giving access tokens.
How to make this happen? Anyone tried this before?
To invalidate all refresh tokens, you can make use of below query:
POST https://graph.microsoft.com/beta/users/<user_id>/invalidateAllRefreshTokens
I tried to reproduce the same in my environment and got below results:
I registered one Azure AD application and added API permissions by granting consent like below:
I got refresh token along with access token via Postman with below parameters:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:<appID>
grant_type:authorization_code
scope: offline_access user.read.all
code:code
redirect_uri: https://jwt.ms
client_secret: secret
Response:
Using this refresh token, I'm able to get access token like below:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:appID
grant_type:refresh_token
refresh_token: 0.AVYA_in0zaI3eUqOQHrbrD-FUv //paste the refresh token that I got above
client_secret:client_secret //Mandatory if client is web app
Response:
To revoke these refresh tokens, I ran below query in Graph Explorer by granting consent to required permissions:
POST https://graph.microsoft.com/beta/users/<user_id>/invalidateAllRefreshTokens
Response:
Now when I tried to get the access token again with existing refresh token, I got error like below as refresh token is revoked:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:appID
grant_type:refresh_token
refresh_token: 0.AVYA_in0zaI3eUqOQHrbrD-FUv //paste the refresh token that I got above
client_secret:client_secret //Mandatory if client is web app
Response:
To do the same from PowerShell, you can make use of below command:
Revoke-AzureADUserAllRefreshToken -ObjectId <userID>
Reference: Revoke-AzureADUserAllRefreshToken (AzureAD)
- AADSTS50012: Invalid client secret is provided when moving from a Test App to Production
- InefficientFilter error on Microsoft Graph requests which were previously working
- IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey
- Graph API: Either scp or roles claim need to be present in the token
- How do I authorize a Python script to upload to SharePoint Online?
- Add claims into token Azure B2C
- Looking for a Microsoft Graph API that can update device ownership of a deivce
- How to get users info list from Azure AD app by calling Microsoft Graph API from ASP.NET Core Web API?
- "Need admin approval" error when using "Sites.Selected" delegated permission for SharePoint document download
- Is it possible to use Bearer Access Token to Authenticate against our tenants SharePoint to allow a daemon to upload files to document library?
- How to get client secret expiry date using the azure AD graph API
- Graph API - Insufficient privileges to complete the operation
- Issue in sending personal message in MS Teams with Graph API
- Get the email address of a Microsoft user
- What does "grant admin consent" button do in azure Azure Active Directory application?
- Unable to Retrieve Online Meetings Data Using Microsoft Graph API
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Issue with move folder API in Microsoft Graph when Email ID contains "/"
- How to remove proxyaddresses from B2C user?
- Azure AD B2C - Sign out a user from all sessions
- C# CS1061 Error with '.Request' (Trying to update users in an Azure AD B2C through external app)
- Query Azure Resource Graph and get a list of all the application registration that contains "test"
- Updating web redirect uri of Azure AD app registration
- Using Azure AD Graph REST API to reset users password (on behalf)
- How to replace static array data with from api request in Angular?
- Microsoft Graph Api GET request can't deserialize JSON obect when calling Applications
- How to get all role assignments for a target application using Microsoft Graph?
- How to fetch authentication methods or MFA phone number of azure ad b2c users using MS graph API
- How to return sign in activity for specific multiple users in office365 using Microsoft graph Api with powershell
- Microsoft Graph Subscription Limitations