在 Azure AD B2C 中刷新令牌吊销 [英] Refresh token revocation in Azure AD B2C
问题描述
在我的 AD B2C 应用程序中,我需要撤销 AD B2C 为用户提供的所有刷新令牌.当用户帐户登录多个应用程序并且在一个应用程序中用户更改了密码时,这是一项要求.更改密码后,我已撤消了他提供给其他应用程序的所有刷新令牌.该怎么做?
In my AD B2C application, i need to revoke the all refresh tokens given by AD B2C for a user. This is a requirement to implement as when user account is logged in multiple apps and in one app user changed the password. When password is changed, i have revoke all of his refresh tokens given to other apps. How to do that?
更新:
我已经尝试过,
Update:
I have tried following,
B2C - 按策略获取令牌
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/authorize
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/token
a) 使用 ad b2c 用户帐户获得访问令牌和刷新令牌(直接通过租户而不是注册策略创建).
b)尝试通过使用令牌端点和授权类型刷新令牌来获取新的访问和刷新令牌->能够获取令牌
c) 使用 https://撤销令牌graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6和客户凭证流(在广告 B2C 租户的广告刀片中注册并获得图形 API 访问权限的应用程序)
d)上述令牌撤销api调用成功并尝试步骤(b).
e) 仍然能够从步骤 (b) 中获取新令牌
B2C -Get Token By Policy
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/authorize
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6 and client credential flow(a application registered in AD blade of Ad B2C tenant and given access to graph api)
d)Above token revoke api call is successful and tried step (b).
e)still able to get new tokens from step(b)
B2C - 通过策略获取令牌 - 使用 GA 帐户撤销
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/authorize
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/token
a) 使用 ad b2c 用户帐户获得访问令牌和刷新令牌(直接通过租户而不是注册策略创建).
b)尝试通过使用令牌端点和授权类型刷新令牌来获取新的访问和刷新令牌->能够获取令牌
c) 使用 https://撤销令牌graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6它是通过使用直接在租户中创建的 GA 帐户登录到图形 API 资源管理器来完成的.
d)上述令牌撤销api调用成功并尝试步骤(b).
e) 仍然能够从步骤 (b) 中获取新令牌
B2C -Get Token By Policy - Revoke using GA account
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/authorize
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6
and It is done by logged into graph api explorer using GA account created directly in tenant.
d)Above token revoke api call is successful and tried step (b).
e)still able to get new tokens from step(b)
B2C - 无策略获取令牌
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/authorize
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token
a) 使用 ad b2c 用户帐户获得访问令牌和刷新令牌(直接通过租户而不是注册策略创建).
b)尝试通过使用令牌端点和授权类型刷新令牌来获取新的访问和刷新令牌->能够获取令牌
c) 使用 https://撤销令牌graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6和客户凭证流(在广告 B2C 租户的广告刀片中注册并获得图形 API 访问权限的应用程序)
d)上述令牌撤销api调用成功并尝试步骤(b).
e) 无法从步骤 (b) 中获取新令牌
B2C -Get Token Without Poicy
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/authorize
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6
and client credential flow(a application registered in AD blade of Ad B2C tenant and given access to graph api)
d)Above token revoke api call is successful and tried step (b).
e)Not able to get new tokens from step(b)
B2C - 无需 Poicy 获取令牌 - 使用 GA 帐户撤销
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/authorize
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token
a) 使用 ad b2c 用户帐户获得访问令牌和刷新令牌(直接通过租户而不是注册策略创建).
b)尝试通过使用令牌端点和授权类型刷新令牌来获取新的访问和刷新令牌->能够获取令牌
c) 使用 https://撤销令牌graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6它是通过使用直接在租户中创建的 GA 帐户登录到图形 API 资源管理器来完成的.
d)上述令牌撤销api调用成功并尝试步骤(b).
e) 仍然能够从步骤 (b) 中获取新令牌
B2C -Get Token Without Poicy - Revoke using GA account
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/authorize
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6
It is done by logged into graph api explorer using GA account created directly in tenant.
d)Above token revoke api call is successful and tried step (b).
e)still able to get new tokens from step(b)
基本上无法撤销从 b2c 策略工作流创建的令牌.
Basically not able to revoke the token created from b2c policy workflow.
解决方案:
刷新令牌撤销图 api 正在工作.但这需要大约 5 分钟.
但是这里的问题是在等待期间,我能够获得新的刷新令牌和访问令牌,并且这些新的刷新令牌即使在撤销之后也能正常工作.这意味着 Azure AD 考虑了刷新令牌撤消 API 调用的请求时间,并撤消了在该时间之前发布的所有刷新令牌.
那么如何避免呢?
当使用现有刷新令牌在脱机范围内请求新的访问令牌时,为什么即使现有刷新令牌有有效期,Azure AD 仍会提供新的刷新令牌?
Solution:
Refresh token revoke graph api is working. But it takes around 5 mins to do that.
But Problem here is in between waiting period, i am able to get new refresh token and access token and those new refresh tokens are working even after revocation. Which means Azure AD considered the requested time of refresh token revoke api call and revokes all refresh tokens issued before that time.
So how to avoid that?
When new access token is requested with offline scope using existing refresh token, why does Azure AD provide new refresh token even though existing refresh token has validity time.?
推荐答案
你可以使用 Azure AD Graph API 使特定用户的所有刷新令牌无效:
POST https://graph.windows.net/myorganization/users/{user_id}/invalidateAllRefreshTokens?api-version=1.6
这篇关于在 Azure AD B2C 中刷新令牌吊销的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
