2

I have integrated microsoft teams in my project where a user can give us access to create meetings on teams on his/her behalf. But now I want to give the user a option to disconnect his/her account i.e. we will no longer be able to create meetings on user's behalf.

I am facing few problems in this flow:

  1. I am unable to find an API where I can send request on user's behalf to invalidate a access/refresh token.
  2. If I remove the token stored at my end and then user again tries to connect their Microsoft account with our website it no longer asks for user's consent(which is basic requirement for OAuth) to give access to our app(if user is logged in Microsoft account on the browser he/she do not see the consent page and account is directly connected with our website and we get the refresh/access token).

Can someone help me on this?

At the end all what I want is when user tries again to connect his/her Microsoft account with our app he/she see the consent page(every time he tries to connect account) and then user clicks the allow button which will give us access and refresh token.

Deepak Pannu
  • 21
  • 3

2 Answers2

0

If the user has granted access to the application, Azure AD will issue an access token and a refresh token for the resource.

The lifetime of the access token is usually about 1 hour. During its lifetime, even if the application is deleted, it is still available, but you will not be able to use the refresh token to obtain the access token again.

1)To invalidate access token on users behalf, Refer this DOC. enter image description here

2)For fetching the access token using the refresh token please refer this DOC.

Hope this helpful.

Mehtab Siddique
  • 556
  • 1
  • 2
  • 5
  • The Doc you mentioned in #1 states that it invalidates all the refresh tokens for applications, not a particular application, so if I use this the user will have to login again in to all the apps where he used the Microsoft account – Deepak Pannu May 04 '22 at 06:22
  • 1. does not use MS Graphs but rather the old, deprecated version. – Black-Pawn-C7 Jul 07 '23 at 11:52
0

An alternative solution for prompting the user to the consent page is just simply appending the prompt="consent" in the OAuth2 URI prameters:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=xxx&redirect_uri=xxx&scope=xxx&state=xxx&access_type=offline&prompt=consent

_____↑↑↑↑↑↑

Here you can find the documentation about the parameters.

Benyamin Jafari
  • 27,880
  • 26
  • 135
  • 150