0

I have already put question Refresh token revoke and it works after 1-5mins.
But it works only for inbuilt policy(user flow) not for custom policy.

I have got refresh_token A from inbuilt policy and refresh_token B from custom policy.

Both tokens are received for same user in same tenant.

After executing revoke(Graph API), When i try to get new access and refresh token using refresh_token A, it fails. But when i try with refresh_token B(Received through custom policy), It still works. Able to get new tokens.

I had given 15mins time gap after revoke call.

Please help me fix this.

Raj
  • 735
  • 1
  • 7
  • 24

1 Answers1

5

The Configure the resource owner password credentials flow in Azure Active Directory B2C using a custom policy article describes the custom elements that must be implemented to manage the refresh tokens and to test that an already-issued one hasn't been invalidated.

You must:

  • Create the refreshTokenIssuedOnDateTime and refreshTokensValidFromDateTime claim types
  • Create the AssertRefreshTokenIssuedLaterThanValidFromDate claims transformation
  • Create the AAD-UserReadUsingObjectId-CheckRefreshTokenDate and SM-RefreshTokenReadAndSetup technical profiles
  • Create the ResourceOwnerPasswordCredentials-RedeemRefreshToken user journey
  • Refer to this user journey from the RefreshTokenUserJourneyId metaproperty of the JwtIssuer technical profile

By default, the clock skew is set to 0, but you can change this using the TreatAsEqualIfWithinMillseconds parameter of the AssertRefreshTokenIssuedLaterThanValidFromDate claims transformation:

<ClaimsTransformation Id="AssertRefreshTokenIssuedLaterThanValidFromDate" TransformationMethod="AssertDateTimeIsGreaterThan">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="refreshTokenIssuedOnDateTime" TransformationClaimType="leftOperand" />
    <InputClaim ClaimTypeReferenceId="refreshTokensValidFromDateTime" TransformationClaimType="rightOperand" />
  </InputClaims>
  <InputParameters>
    <InputParameter Id="AssertIfEqualTo" DataType="boolean" Value="false" />
    <InputParameter Id="AssertIfRightOperandIsNotPresent" DataType="boolean" Value="true" />
    <!-- Set the clock skew to 5 minutes (300000 milliseconds). -->
    <InputParameter Id="TreatAsEqualIfWithinMillseconds" DataType="int" Value="300000" />
  </InputParameters>
</ClaimsTransformation>
Chris Padgett
  • 14,186
  • 1
  • 15
  • 28
  • @Chris, I am having the same issue with a javascript SPA client using an oidc-client. The documentation you point to has a comment at the top that SPA's are not supported. What does this actually mean? – Douglas Woods Mar 26 '19 at 23:37
  • Hi @DouglasWoods. A SPA shouldn't receive a refresh token because (i) the refresh token represents an account credential, (ii) it must be stored securely, and (iii) it mustn't be exposed client-side. Instead, a SPA can renew an access token, using [silent authentication](https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-spa#refresh-tokens). – Chris Padgett Apr 01 '19 at 07:20