-
Notifications
You must be signed in to change notification settings - Fork 120
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Account Revoke Access #1037
Comments
Token revocation does not apply to access tokens, only to refresh tokens. The access token in the cache is expected to work until it expires; at which point the refresh token is used to attempt to renew it. AAD will subsequently reject the renewal for the revoked client at which point the client SDK no longer has a valid access token for the specified resource and access is lost. The lifetime of the access token determines the duration that the client will continue to have access to a given application. For more information see this document on token revocation. Token revocation is handled by AAD; not by the library itself. |
If a user revokes "access" (since a user knows nothing about access vs refresh tokens) to a malicious app and that app ceases to appear in the "Apps and services you've given access" UI, isn't it alarming that in fact that malicious app will still have access to the user's account until the expiration of the current access token (which could be up to another hour)...? |
Thats alarming in my opinion
…On Thu, May 7, 2020 at 1:36 PM dpanzer ***@***.***> wrote:
If a user revokes "access" (since a user knows nothing about access vs
refresh tokens) to a malicious app and that app ceases to appear in the
"Apps and services you've given access" UI, isn't it alarming that in fact
that malicious app will still have access to the user's account until the
expiration of the current access token (which could be up to another
hour)...?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1037 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAHRVPXIQBX3QAD2RU2HCLLRQLWTNANCNFSM4M3PN7QQ>
.
--
Christopher Alex Brown
Cell: 973-508-7450
|
If you need to mitigate risk associated with AT usage, I suggest reviewing the following document: As it stands today, access tokens are not revocable; this is not a constraint of the client library but rather, it is a fundamentally unsupported action with the AAD service. |
Thanks for the info @iambmelt I'm new to the AAD world and this just seems like a really dangerous design to make the user think they've revoked access but in reality it's just the refresh token that's revoked. I don't think I've ever seen this in another OAuth provider. Anyway, I know this wasn't your decision :) Will work around it. |
Describe the bug
the SDK still has access to the account once the application has been revoked via https://account.live.com/consent/Manage. I would expect any calls through the SDK to be invalid if the application / permissions have been revoked and would require a re-auth
The text was updated successfully, but these errors were encountered: