Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Account Revoke Access #1037

Closed
pequots34 opened this issue May 7, 2020 · 5 comments
Closed

Account Revoke Access #1037

pequots34 opened this issue May 7, 2020 · 5 comments
Assignees
@iambmelt
Labels
Question Customer or contributor is seeking clarification or information

Comments

@pequots34
Copy link

Describe the bug
the SDK still has access to the account once the application has been revoked via https://account.live.com/consent/Manage. I would expect any calls through the SDK to be invalid if the application / permissions have been revoked and would require a re-auth
@iambmelt iambmelt self-assigned this May 7, 2020
@iambmelt iambmelt added the Question Customer or contributor is seeking clarification or information label May 7, 2020
@iambmelt
Copy link
Member

iambmelt commented May 7, 2020

Token revocation does not apply to access tokens, only to refresh tokens. The access token in the cache is expected to work until it expires; at which point the refresh token is used to attempt to renew it. AAD will subsequently reject the renewal for the revoked client at which point the client SDK no longer has a valid access token for the specified resource and access is lost. The lifetime of the access token determines the duration that the client will continue to have access to a given application.

For more information see this document on token revocation.

Token revocation is handled by AAD; not by the library itself.

@iambmelt iambmelt closed this as completed May 7, 2020
@dpanzer
Copy link

dpanzer commented May 7, 2020

If a user revokes "access" (since a user knows nothing about access vs refresh tokens) to a malicious app and that app ceases to appear in the "Apps and services you've given access" UI, isn't it alarming that in fact that malicious app will still have access to the user's account until the expiration of the current access token (which could be up to another hour)...?

@pequots34
Copy link
Author

pequots34 commented May 7, 2020 via email

@iambmelt
Copy link
Member

iambmelt commented May 7, 2020

If you need to mitigate risk associated with AT usage, I suggest reviewing the following document:
Configurable token lifetimes in Azure Active Directory (Preview)

As it stands today, access tokens are not revocable; this is not a constraint of the client library but rather, it is a fundamentally unsupported action with the AAD service.

@dpanzer
Copy link

dpanzer commented May 7, 2020

Thanks for the info @iambmelt

I'm new to the AAD world and this just seems like a really dangerous design to make the user think they've revoked access but in reality it's just the refresh token that's revoked. I don't think I've ever seen this in another OAuth provider. Anyway, I know this wasn't your decision :) Will work around it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iambmelt iambmelt

Labels
Question Customer or contributor is seeking clarification or information
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pequots34 @iambmelt @dpanzer