Azure ADB2C logout doesn't invalidates access token

[Statowfiq]

Azure ADB2C logout doesn't invalidates access token.

I am using MSAL 0.2.4 library. The logout function logs out me from my application and redirects me back to login. But the access token is still alive. I am able to use the old access token to access my webAPI.

The access token is not getting invalidated post logout.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: c54adceb-9510-aeb5-0c61-c0d052459cda
• Version Independent ID: 0ff6b6b2-2802-9534-8963-796b9c4a2a76
• Content: Web sign-in with OpenID Connect - Azure Active Directory B2C
• Content Source: articles/active-directory-b2c/active-directory-b2c-reference-oidc.md
• Service: active-directory
• Sub-service: b2c
• GitHub Login: @mmacy
• Microsoft Alias: marsma

[shashishailaj]

@Statowfiq Thank you for your query. We will investigate and update this thread further.

[yoelhor]

The access and ID tokens issue by Azure AD B2C are self-contained. So that an application needs no further interaction with Azure AD B2C to perform an authorization decision of the client requesting access to a protected resource. After an access token is issued, there is no way to invalidate it (since there shouldn’t be any further interaction with Azure AD B2C).

Azure AD B2C support the revocation of refresh tokens, by calling Azure AD Graph invalidateAllRefreshTokens

You can configure Azure AD B2C to issue short-lived access tokens, for example 60 minutes or so, which can be refreshed at any time using the corresponding refresh tokens. This allows Azure AD B2C to impose a limit on the time revoked when access tokens need to refresh.

[ManojReddy-MSFT]

@Statowfiq We will now proceed to close this thread. If you have further questions, please tag me in the comments and I will gladly continue the conversation.

[iliassk]

About revoking refresh tokens:

@yoelhor @ManojReddy-MSFT , I couldn't find any docs describing how we can call Microsoft Graph's invalidateAllRefreshTokens or revokeSignInSessions when a user authenticates on an Azure AD B2C via the b2clogin.com V2 endpoints.

I have no idea how I can revoke the refresh token once I initiate the logout from my app. Most docs seem to focus on AAD or (soon-to-be) deprecated V1 or Graph API endpoints. How can we achieve this on Azure AD B2C with the b2clogin.com V2 endpoints? Knowing that we cannot use the Azure AD B2C issued access tokens to call Azure AD or Microsoft Graph API.

Should we use built-in or custom policies? Is it even possible?

Thank you !

[droidamar007]

@iliassk Did you find any way to invalidate refreshToken? I'm also facing the same issue and stuck for several weeks.

If you find any way please help me out.

Thanks!

[iliassk]

@droidamar007 I haven't tried but you should check out https://docs.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http to invalidate the refresh tokens through the Microsoft Graph API.

[droidamar007]

Thanks, @iliassk

I've already tried this. When I'm calling this API call using MS graph API, I'm not getting any error and it working fine now but the problem is, even after revoking singin session I'm able to get a new access token using the refresh token.

That's is bit strange and not able to find any blog or post on this.

Thanks for your quick reply!