azure-ad-graph-apirefresh-tokenazure-securityazure-identityazure-oauth

How to make all refresh tokens invalid for getting access token to make it more secure


Somehow I managed to reduce default access token lifetime to 30 minutes. This made tokens to expire or invalid after 30 minutes. Now the problem is few users already got refresh tokens along with access token before and using those to get access token again after token expiration like

POST https://login.microsoft.com/tenantid/oauth2/v2.0/token?&client_id:appid&grant_type:refresh_token&refresh_token: refresh token&client_secret: client secret

I don't want this to happen. Removing offline_access scope won't give refresh token anymore. But what about the refresh tokens that users already got. How to make those refresh tokens invalid so that users cannot use them to get access tokens that makes more secure. Even if they use, it should throw some error instead of giving access tokens.

How to make this happen? Anyone tried this before?


Solution

  • To invalidate all refresh tokens, you can make use of below query:

    POST https://graph.microsoft.com/beta/users/<user_id>/invalidateAllRefreshTokens
    

    I tried to reproduce the same in my environment and got below results:

    I registered one Azure AD application and added API permissions by granting consent like below:

    enter image description here

    I got refresh token along with access token via Postman with below parameters:

    POST  https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
    client_id:<appID>
    grant_type:authorization_code
    scope: offline_access user.read.all
    code:code
    redirect_uri: https://jwt.ms
    client_secret: secret
    

    Response:

    enter image description here

    Using this refresh token, I'm able to get access token like below:

    POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
    client_id:appID
    grant_type:refresh_token
    refresh_token: 0.AVYA_in0zaI3eUqOQHrbrD-FUv //paste the refresh token that I got above
    client_secret:client_secret //Mandatory if client is web app
    

    Response:

    enter image description here

    To revoke these refresh tokens, I ran below query in Graph Explorer by granting consent to required permissions:

    POST https://graph.microsoft.com/beta/users/<user_id>/invalidateAllRefreshTokens
    

    Response:

    enter image description here

    Now when I tried to get the access token again with existing refresh token, I got error like below as refresh token is revoked:

    POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
    client_id:appID
    grant_type:refresh_token
    refresh_token: 0.AVYA_in0zaI3eUqOQHrbrD-FUv //paste the refresh token that I got above
    client_secret:client_secret //Mandatory if client is web app
    

    Response:

    enter image description here

    To do the same from PowerShell, you can make use of below command:

    Revoke-AzureADUserAllRefreshToken -ObjectId <userID>
    

    Reference: Revoke-AzureADUserAllRefreshToken (AzureAD)