在Azure AD B2C中刷新令牌吊销 [英] Refresh token revocation in Azure AD B2C

问题描述

在我的AD B2C应用程序中，我需要撤消AD B2C为用户提供的所有刷新令牌.这是实现的要求，因为当用户帐户登录多个应用程序并且一个应用程序用户更改了密码时.更改密码后，我已撤消了他提供给其他应用程序的所有刷新令牌. 该怎么做?

In my AD B2C application, i need to revoke the all refresh tokens given by AD B2C for a user. This is a requirement to implement as when user account is logged in multiple apps and in one app user changed the password. When password is changed, i have revoke all of his refresh tokens given to other apps. How to do that?

更新:
我已经尝试追踪，

Update:
I have tried following,

1. B2C-通过策略获取令牌
   https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/authorize
   https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/token
   a)使用ad b2c用户帐户获得访问令牌和刷新令牌(直接通过租户创建，而不是通过注册策略创建).
   b)尝试通过使用令牌端点和Grant_type refresh_token->能够获取令牌的方式来获得新的访问权限并刷新令牌
   c)使用 https://撤销令牌graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6 和客户端凭据流(在Ad B2C租户的AD刀片中注册并有权访问图API的应用程序)
   d)以上令牌吊销api调用成功并尝试了步骤(b).
   e)仍然能够从步骤(b)获取新令牌

1. B2C -Get Token By Policy
   https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/authorize
   https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/token
   a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
   b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
   c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6 and client credential flow(a application registered in AD blade of Ad B2C tenant and given access to graph api)
   d)Above token revoke api call is successful and tried step (b).
   e)still able to get new tokens from step(b)

B2C-按策略获取令牌-使用GA帐户撤消
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/authorize
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/token
a)使用ad b2c用户帐户获得访问令牌和刷新令牌(直接通过租户创建，而不是通过注册策略创建).
b)尝试通过使用令牌端点和grant_type refresh_token->能够获取令牌的方式来获得新的访问权限并刷新令牌
c)使用 https://撤销令牌graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6 并使用直接在租户中创建的GA帐户登录到图api资源管理器来完成.
d)以上令牌吊销api调用成功并尝试了步骤(b).
e)仍然能够从步骤(b)中获取新令牌

B2C -Get Token By Policy - Revoke using GA account
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/authorize
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6 and It is done by logged into graph api explorer using GA account created directly in tenant.
d)Above token revoke api call is successful and tried step (b).
e)still able to get new tokens from step(b)

B2C-无需令牌即可获取令牌
https://login.microsoftonline.com/tenantname.onmicrosoft. com/oauth2/v2.0/authorize
https://login.microsoftonline.com/tenantname.onmicrosoft. com/oauth2/v2.0/token
a)使用ad b2c用户帐户获得访问令牌和刷新令牌(直接通过租户创建，而不是通过注册策略创建).
b)尝试通过使用令牌端点和grant_type refresh_token->能够获取令牌的方式来获得新的访问权限并刷新令牌
c)使用 https://撤销令牌graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6 和客户端凭据流(在Ad B2C租户的AD刀片中注册并有权访问图API的应用程序)
d)上面的令牌吊销api调用成功并尝试了步骤(b).
e)无法从步骤(b)

B2C -Get Token Without Poicy
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/authorize
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6 and client credential flow(a application registered in AD blade of Ad B2C tenant and given access to graph api)
d)Above token revoke api call is successful and tried step (b).
e)Not able to get new tokens from step(b)

B2C-无需虚假获取令牌-使用GA帐户撤消
https://login.microsoftonline.com/tenantname.onmicrosoft. com/oauth2/v2.0/authorize
https://login.microsoftonline.com/tenantname.onmicrosoft. com/oauth2/v2.0/token
a)使用ad b2c用户帐户获得访问令牌和刷新令牌(直接通过租户创建，而不是通过注册策略创建).
b)尝试通过使用令牌端点和Grant_type refresh_token->能够获取令牌的方式来获得新的访问权限并刷新令牌
c)使用 https://撤销令牌graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6 这是通过使用直接在租户中创建的GA帐户登录到图api资源管理器来完成的.
d)以上令牌吊销api调用成功并尝试了步骤(b).
e)仍然能够从步骤(b)中获取新令牌

B2C -Get Token Without Poicy - Revoke using GA account
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/authorize
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6 It is done by logged into graph api explorer using GA account created directly in tenant.
d)Above token revoke api call is successful and tried step (b).
e)still able to get new tokens from step(b)

基本上无法撤消从b2c策略工作流程创建的令牌.

Basically not able to revoke the token created from b2c policy workflow.

解决方案:
刷新令牌吊销图表API正常工作.但是大约需要5分钟.
但是这里的问题是在等待期间之间，我能够获取新的刷新令牌和访问令牌，并且这些新的刷新令牌即使在吊销后仍能正常工作.这意味着Azure AD考虑了刷新令牌撤消api调用的请求时间，并撤消了在该时间之前发出的所有刷新令牌.
那么如何避免呢?
当使用现有的刷新令牌在脱机范围内请求新的访问令牌时，即使现有的刷新令牌具有有效时间，Azure AD为什么也提供新的刷新令牌?

Solution:
Refresh token revoke graph api is working. But it takes around 5 mins to do that.
But Problem here is in between waiting period, i am able to get new refresh token and access token and those new refresh tokens are working even after revocation. Which means Azure AD considered the requested time of refresh token revoke api call and revokes all refresh tokens issued before that time.
So how to avoid that?
When new access token is requested with offline scope using existing refresh token, why does Azure AD provide new refresh token even though existing refresh token has validity time.?

推荐答案

您可以使用Azure AD Graph API使特定用户的所有刷新令牌无效:

POST https://graph.windows.net/myorganization/users/{user_id}/invalidateAllRefreshTokens?api-version=1.6

这篇关于在Azure AD B2C中刷新令牌吊销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！