英文:
Graph API revokeSignInSessions in Azure AD B2C: have to call twice to completely revoke a refresh token
问题
我正在尝试使用Graph API的revokeSignInSessions来注销刷新令牌,以处理用户注销的情况。我看到的问题是,我必须调用撤销API两次才能实际注销刷新令牌。
根据以下链接https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow#1-get-an-authorization-code,我使用Postman逐步执行:
步骤1:获取授权码
GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize? client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 &response_type=code &redirect_uri=https://jwt.ms/ &response_mode=query &scope=offline_access%20https://{tenant-name}/{app-id-uri}/{scope} &state=arbitrary_data_you_can_receive_in_the_response
步骤2:使用步骤1中的代码获取刷新令牌
POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&scope=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6%20offline_access&code=code%20from%20step%201&client_secret=QHS8i~...
步骤3:使用刷新令牌获取新的访问令牌
POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&client_secret=QHS8i~...&scope=openid%20offline_access&refresh_token=refresh%20token%20from%20step%202
我可以从刷新令牌中获取新的访问/身份令牌。之后,我通过使用Graph API的revokeSignInSessions来注销刷新令牌。
POST https://graph.microsoft.com/v1.0/users/{user_id}/revokeSignInSessions
调用API后等待5分钟、10分钟、15分钟甚至30分钟(每个测试都是如此),我仍然可以从刷新令牌中获取新的访问令牌。我还尝试了Azure门户上的"Revoke sessions"按钮,结果相同。
而特别的是,当我第二次调用revoke API时,刷新令牌实际上被撤销了(包括原始令牌刷新和在第一次未成功撤销后收到的下一个刷新令牌)。
我检查了refreshTokensValidFromDateTime和signInSessionsValidFromDateTime属性,它们在调用revoke操作后按预期被重置为当前日期和时间。已登录到浏览器的用户也被迫重新登录。
我唯一看到的问题是,我必须调用两次撤销API才能实际注销刷新令牌。这是一个错误还是我在某处做错了?请帮助我,提前感谢。
英文:
I'm trying to revoke refresh token using Graph API revokeSignInSessions to handle case of user logs out. The problem I see is that I have to call the revocation API twice to actually revoke the refresh token.
Following this link https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow#1-get-an-authorization-code, using postman, I do step by step:
Step 1: Get the code
GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize? client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 &response_type=code &redirect_uri=https://jwt.ms/ &response_mode=query &scope=offline_access%20https://{tenant-name}/{app-id-uri}/{scope} &state=arbitrary_data_you_can_receive_in_the_response
Step 2: Get refresh token by using the code from step 1
POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&scope=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6%20offline_access&code=code%20from%20step%201&client_secret=QHS8i~...
Step 3: Get new access token by using the refresh token
POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&client_secret=QHS8i~...&scope=openid%20offline_access&refresh_token=refresh%20token%20from%20step%202
I can get new access/id token from the refresh token. After that I revoke the refresh token by using Graph API revokeSignInSessions.
POST https://graph.microsoft.com/v1.0/users/{user_id}/revokeSignInSessions
Call api and wait after 5 minutes, 10 minutes, 15 minutes and even 30 minutes (for each test) and I can still get new acces token from the refresh token. I also try the Revoke sessions button on Azure portal and have the same result.
And the special thing is that when I call the revoke api for the second time, the refresh token is actually revoked (Includes original token refresh and next refresh token received after the first unsuccessful revocation)
Checked refreshTokensValidFromDateTime and signInSessionsValidFromDateTime properties, they are reset to current date and time as expected after calling the revoke action. Users who are logged in to the browser are also forced to log in again.
The only problem I see here is that I have to call the revocation API twice to actually revoke the refresh token. Is this a bug or am I doing it wrong somewhere. Please help me, thanks in advance.
答案1
得分: 1
To revoke refresh tokens, you can make use of below Graph API query:
POST https://graph.microsoft.com/beta/users/<user_id>/invalidateAllRefreshTokens
To get code, I used same authorization request as you like below:
GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize?client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&response_type=code&redirect_uri=https://jwt.ms/&response_mode=query&scope=offline_access%20https://{tenant-name}/{app-id-uri}/{scope}&state=arbitrary_data_you_can_receive_in_the_response
Response:
I generated refresh token successfully by including above code in POST request like this:
POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
grant_type:authorization_code
client_id:appID
client_secret:secret
code:code_from_above_step
redirect_uri: https://jwt.ms
scope:offline_access https://sritestb2caad.onmicrosoft.com/api/custom.scope
Response:
Using above refresh token, I'm able to generate new id tokens successfully like below:
POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
grant_type:refresh_token
client_id:appID
client_secret:secret
refresh_token:refresh_token_from_above_step
scope:openid offline_access
Response:
I ran below graph query to revoke refresh tokens of an user like this:
POST https://graph.microsoft.com/beta/users/<userID>/invalidateAllRefreshTokens
Response:
Note that, it may take up to 5 minutes to work after revoking
refresh tokens from Graph API
When I tried to generate new token using same refresh token now, I got error message saying "The provided grant has been revoked" like below:
POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
grant_type:refresh_token
client_id:appID
client_secret:secret
refresh_token:refresh_token_from_above_step
scope:openid offline_access
Response:
Reference:
user: invalidateAllRefreshTokens - Microsoft Graph beta
英文:
To revoke refresh tokens, you can make use of below Graph API query:
POST https://graph.microsoft.com/beta/users/<user_id>/invalidateAllRefreshTokens
To get code, I used same authorization request as you like below:
GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize? client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 &response_type=code &redirect_uri=https://jwt.ms/ &response_mode=query &scope=offline_access%20https://{tenant-name}/{app-id-uri}/{scope} &state=arbitrary_data_you_can_receive_in_the_response
Response:
I generated refresh token successfully by including above code in POST request like this:
POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
grant_type:authorization_code
client_id:appID
client_secret:secret
code:code_from_above_step
redirect_uri: https://jwt.ms
scope:offline_access https://sritestb2caad.onmicrosoft.com/api/custom.scope
Response:
Using above refresh token, I'm able to generate new id tokens successfully like below:
POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
grant_type:refresh_token
client_id:appID
client_secret:secret
refresh_token:refresh_token_from_above_step
scope:openid offline_access
Response:
I ran below graph query to revoke refresh tokens of an user like this:
POST https://graph.microsoft.com/beta/users/<userID>/invalidateAllRefreshTokens
Response:
> Note that, it may take up to 5 minutes to work after revoking
> refresh tokens from Graph API
When I tried to generate new token using same refresh token now, I got error message saying "The provided grant has been revoked" like below:
POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
grant_type:refresh_token
client_id:appID
client_secret:secret
refresh_token:refresh_token_from_above_step
scope:openid offline_access
Response:
Reference:
user: invalidateAllRefreshTokens - Microsoft Graph beta
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论