I have developed an application that utilizes OAuth 2.0 for user authentication and subsequently retrieves user details from the Microsoft Graph API.
I have implemented till login and accessing the user details functionality. However, I am encountering difficulties with the logout process for users who have signed in using Microsoft credentials. I possess both the access token and refresh token associated with the current user session.
I understand that to log out a user, I need to remove both the access token and refresh token from my application and then terminate the session. However, the refresh token remains valid, which allows unauthorized access. So, I wanted to know how to invalidate the refresh token specific to the logged-in user within my application from the Authorization Server (in this case, Microsoft).
The following graph call can be used to cancel the Refresh token:
To cancel the refresh token of the user who is signed in:
POST:https://graph.microsoft.com/v1.0/me/revokeSignInSessions
To cancel the refresh token of a different user:
POST:https://graph.microsoft.com/v1.0/users/{id|UserPrincipalName}/revokeSignInSessions