Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure AD Oauth token revocation when user change their password

Microsoft

We have read the document as below https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/develop/active-dir...

and we found the token revocation policy is so clear : if a user changes their password, then they may have to re-authenticate. BUT we tested again and again, looks like this policy is not work for us: The original access_token and refresh_token can still use without any error. Does it make sense? Or anything we missed?

token revocation policy

We tested in this way. Let's see if there are any problems.

  1. The first time user login to the application, they enter their credential, and the application obtain the access_token to access the resource.
  2. The application save the access_token, and Use this information directly in the next request.
  3. When the access_token expired, the application use the refresh_token to obtain an new access_token
  4. Users may modify their passwords for a variety of reasons, We expect the original token to be revoked automatically and prompt use to re-authenticate next time
  5. We cannot see the behavior as expectation
3 Replies

Last time I played with this, only synced/federated users' tokens were affected by password changes, and by tokens I mean only the refresh tokens. For synced users, password changes didn't invalidate tokens, admin password resets did though. Things might have changed since though.

 

Are we talking about a custom app or O365 btw?

Thank you Vasil

 

yes, we are talking about a custom app which use Microsoft Graph to access office 365 resource.

Did you come up with any solution to this issue?