Introspection endpoint for Azure Active Directory

wilsoa6 · ‎May 11 2021

Hi,

There are instances where a user logs off/out but the access token associated with the user on the client does not expire (based on the access token lifetime). This can lead to situations where resource servers or APIs can continue to be invoked with these tokens and the request is serviced/honoured.

An introspection endpoint (per the ITEF specification in RFC 7662 https://tools.ietf.org/html/rfc7662) checks the validity of tokens. When will Microsoft establish an introspection endpoint with Azure Active Directory to check the validity of the token?

At present many customers are creating a bespoke solutions within their environments to perform this function blacklist tokens.

lucaspnw · ‎Dec 04 2023

Key expiration / revocation is a critical function that Azure does not address properly with their lack of an introspection endpoint.
The net result of the current Microsoft implementation of OAuth JWTs is that Azure is not a suitable user directory when credential revocation is time sensitive.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Introspection endpoint for Azure Active Directory

Introspection endpoint for Azure Active Directory

Re: Introspection endpoint for Azure Active Directory