Home

Azure AD Oauth token revocation when user change their password

%3CLINGO-SUB%20id%3D%22lingo-sub-182869%22%20slang%3D%22zh-CN%22%3EAzure%20AD%20Oauth%20token%20revocation%20when%20user%20their%20password%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-182869%22%20slang%3D%22zh-CN%22%3E%3CP%3EWe%20have%20read%20the%20document%20as%20below%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fblob%2Fmaster%2Farticles%2Factive-directory%2Fdevelop%2Factive-directory-token-and-claims.md%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fblob%2Fmaster%2Farticles%2Factive-directory%2Fdevelop%2Factive-directory-token-and-claims.md%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EAnd%20we%20found%20the%20token%20revocation%3CSTRONG%3E%20A%2FI%3A%20If%20a%20user%20changes%20their%20password%2C%20then%20may%20have%20to%20Re-auth%20Enticate%3C%2FSTRONG%3E.%20But%20I%20tested%20again%20and%20again%2C%20looks%20the%20same%20as%20this%2C%20are%20not%2C%20to%20Us%3Athe%20original%20Access_token%20and%20Refresh_token%20can%20Still-without%20any%20error.%20Does%20it%20make%20sense%3F%20Or%20anything%20we%20missed%3F%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fstackoverflow.microsoft.com%2Fimages%2Fa%2F86d2f4fe-2735-4bcc-95a3-6a15cce51e40.png%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fstackoverflow.microsoft.com%2Fimages%2Fa%2F86d2f4fe-2735-4bcc-95a3-6a15cce51e40.png%22%20border%3D%220%22%20alt%3D%22Token%20revocation%22%20%2F%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EWe%20tested%20in%20this.%20S%20see%20if%20it%20is%20any%20problems.%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EThe%20first%20time%20user%20is%20login%20to%20the%20application%2C%20who%20enter%20their%20credential%2C%20and%20the%20application%20obtain%20the%20Access_token%20to%20Access%20the%20resource.%3C%2FLI%3E%0A%3CLI%3EThe%20application%20Save%20the%20Access_token%2C%20and%20the%20%22with%20this%22%20directly%20in%20the%20next%20request.%3C%2FLI%3E%0A%3CLI%3EWhen%20the%20Access_token%20expired%2C%20the%20application%20and%20the%20Refresh_token%20to%20obtain%20an%20new%20Access_token%3C%2FLI%3E%0A%3CLI%3EUsers%20may%20modify%20their%20passwords%20for%20a%20variety%20of%20reasons%2C%20I%20expect%20the%20original%20token%20to%20is%20revoked%20automatically%20and%20PR%20Ompt-Re-authenticate%20Next%20time%3C%2FLI%3E%0A%3CLI%3EWe%20cannot%20see%20the%20behavior%20as%20expectation%3C%2FLI%3E%0A%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-182869%22%20slang%3D%22zh-CN%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-182934%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Oauth%20token%20revocation%20when%20user%20change%20their%20password%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-182934%22%20slang%3D%22en-US%22%3E%3CP%3ELast%20time%20I%20played%20with%20this%2C%20only%20synced%2Ffederated%20users'%20tokens%26nbsp%3Bwere%20affected%20by%20password%20changes%2C%20and%20by%20tokens%20I%20mean%20only%20the%20refresh%20tokens.%20For%20synced%20users%2C%20password%20changes%20didn't%20invalidate%20tokens%2C%20admin%20password%20resets%20did%20though.%20Things%20might%20have%20changed%20since%20though.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAre%20we%20talking%20about%20a%20custom%20app%20or%20O365%20btw%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-182967%22%20slang%3D%22zh-CN%22%3ERe%3Aazure%20AD%20Oauth%20token%20revocation%20when%20user%20their%20password%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-182967%22%20slang%3D%22zh-CN%22%3E%3CP%3EThank%20you%20Vasil%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes%2C%20we%20is%20talking%20about%20a%20custom%20app%20which%20with%20Microsoft%20Graph%20to%20access%20Office%20365%20resource.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Ares Chen
Microsoft

We have read the document as below https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/develop/active-dir...

and we found the token revocation policy is so clear : if a user changes their password, then they may have to re-authenticate. BUT we tested again and again, looks like this policy is not work for us: The original access_token and refresh_token can still use without any error. Does it make sense? Or anything we missed?

token revocation policy

We tested in this way. Let's see if there are any problems.

  1. The first time user login to the application, they enter their credential, and the application obtain the access_token to access the resource.
  2. The application save the access_token, and Use this information directly in the next request.
  3. When the access_token expired, the application use the refresh_token to obtain an new access_token
  4. Users may modify their passwords for a variety of reasons, We expect the original token to be revoked automatically and prompt use to re-authenticate next time
  5. We cannot see the behavior as expectation
2 Replies
Highlighted

Last time I played with this, only synced/federated users' tokens were affected by password changes, and by tokens I mean only the refresh tokens. For synced users, password changes didn't invalidate tokens, admin password resets did though. Things might have changed since though.

 

Are we talking about a custom app or O365 btw?

Thank you Vasil

 

yes, we are talking about a custom app which use Microsoft Graph to access office 365 resource.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies