Revoke Access from Azure AD B2C with Custom Policys

Question

We need to log out a user from a device that is integrated with Azure AD B2C.

The application is using Azure AD B2C with Custom Policy, and there seems to be an issue revoking refresh tokens in this combination. (We are using authorization code flow)

We have tried to revoke the access by using the "Revoke session" on the user, and the invalidateAllRefreshTokens with the Graph API, but the user is still logged in and can retrieve access and refresh tokens.

Do we need to implement the revoke logic in the Custom Policy, or is this a bug in AD B2C? Our implementation of Custom Policy is based on the example from the AD B2C documentation.

Yes, and it's possible to acquire a new one with the refresh token. — Jonas Nilsson, Mar 21 '21 at 16:42
You mean you can use the revoked refresh token to get a new access token again? — Carl Zhao, Mar 22 '21 at 06:42
After you revoke the refresh token, did you wait a few minutes, for example, about 5 minutes? — Carl Zhao, Mar 22 '21 at 06:44

score 0 · Answer 1 · answered Mar 23 '21 at 08:41

Thanks @Jason:

The Graph API command to revoke the session in respect to Azure AD B2C does not invalidate the B2C users session cookie. It only sets the refreshTokenLastValidFrom timestamp to the current time.

Reference:- https://learn.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http

When using a SPA app, .Net App with PKCE flow, the users access token expiration will determine when the refresh token is subsequently used. If this exchange fails due to the /revoke endpoint being called, the user is asked to login again.

When the user is asked to login again, the Azure AD B2C web session sso cookies may give SSO if present and valid, as you note. Otherwise the user is asked to reauthenticate. You can force the behavior slightly by passing 'prompt=login' as part of the loginRedirect() method to clear the cookies in this scenario (when refresh token call fails).

You can also reduce the web session SSO liftetime such that the cookie is valid for a shorter period of time, somewhat mitigating how long the user may still have access without reauthenticating after the /revoke endpoint is called.

Be aware, that the refresh token in the SPA PKCE flow is only valid for 24 hours, and reducing the web session SSO lifetime will also effect users who have not had the /revoke endpoint called against them. For example if the user visits another application, they may not get SSO due to the shorter cookie lifetime.

Please let us know if you need more information.

This article mentions that you have to make additions to your Custom Policy for it to work: https://stackoverflow.com/questions/63475227/revoking-the-signin-session-for-azure-ad-b2c-users-is-not-working-for-native-app We have tried with "revokeSignInSessions", but this returns a 405. invalidateAllRefreshTokens works and the refreshTokensValidFromDateTime claim gets a new date. But after 15 minutes, the user still can retrieve a new access token. — Jonas Nilsson, Mar 29 '21 at 05:41

Revoke Access from Azure AD B2C with Custom Policys

1 Answers1