Forum Discussion
Ares Chen
Microsoft
MicrosoftAzure AD Oauth token revocation when user change their password
We have read the document as below https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/develop/active-directory-token-and-claims.md
and we found the token revocation policy is so clear : if a user changes their password, then they may have to re-authenticate. BUT we tested again and again, looks like this policy is not work for us: The original access_token and refresh_token can still use without any error. Does it make sense? Or anything we missed?
We tested in this way. Let's see if there are any problems.
- The first time user login to the application, they enter their credential, and the application obtain the access_token to access the resource.
- The application save the access_token, and Use this information directly in the next request.
- When the access_token expired, the application use the refresh_token to obtain an new access_token
- Users may modify their passwords for a variety of reasons, We expect the original token to be revoked automatically and prompt use to re-authenticate next time
- We cannot see the behavior as expectation
Last time I played with this, only synced/federated users' tokens were affected by password changes, and by tokens I mean only the refresh tokens. For synced users, password changes didn't invalidate tokens, admin password resets did though. Things might have changed since though.
Are we talking about a custom app or O365 btw?
- Ares Chen
Thank you Vasil
yes, we are talking about a custom app which use Microsoft Graph to access office 365 resource.
- Did you come up with any solution to this issue?
