Forum Discussion
wilsoa6
May 12, 2021Copper Contributor
Introspection endpoint for Azure Active Directory
Hi,
There are instances where a user logs off/out but the access token associated with the user on the client does not expire (based on the access token lifetime). This can lead to situations where resource servers or APIs can continue to be invoked with these tokens and the request is serviced/honoured.
An introspection endpoint (per the ITEF specification in RFC 7662 https://tools.ietf.org/html/rfc7662) checks the validity of tokens. When will Microsoft establish an introspection endpoint with Azure Active Directory to check the validity of the token?
At present many customers are creating a bespoke solutions within their environments to perform this function blacklist tokens.
- lucaspnwCopper ContributorKey expiration / revocation is a critical function that Azure does not address properly with their lack of an introspection endpoint.
The net result of the current Microsoft implementation of OAuth JWTs is that Azure is not a suitable user directory when credential revocation is time sensitive.