Search code examples
c#authenticationtokenazure-active-directoryinvalidation

Integrating applications with Azure Active Directory: revalidate Id_token to check if user already logged out

Currently, I am using this library from Microsoft to integrate my application with Azure AD:

https://github.com/AzureAD/azure-activedirectory-library-for-js

My application has it's own user authentication. The application only store username and use it to map with username from Azure AD. I use OAuth implicit grant and id_token to log user in.

Here is the authentication flow I'm implementing:

  1. User click Login.
  2. App redirect user to microsoft login page.
  3. User enter their username/password.
  4. Microsoft login page redirect user to the azure login handling page in my application.
  5. The application's backend code using C# validate received token to make sure it from Azure AD with code sample from: https://github.com/Azure-Samples/active-directory-dotnet-webapi-manual-jwt-validation.
  6. If token is valid, then check if the username from token exist in the system.
  7. If yes, then the user is authenticated with a token generated from my application's OWIN context.

The problem:

The library on step 5 above can only validate if the token is valid with Azure tenant, client id and it's expire time. It does not required network access to to that.

This mean that even if user is already logged out using microsoft logout url: https://login.microsoftonline.com/tenant-id/oauth2/logout?post_logout_redirect_uri=uri, the id_token from azure is still valid.

My question is:

Is there any way to check if user is logged out in Azure AD then invalidate the id_token and required user to re-login again?

Update:

I use id_token because I just require user to have valid account on Azure AD and do not need to get any further contact with Azure AD.

Solution

  • ID tokens are considered valid until their expiry. Usually, a web application matches a user’s session lifetime in the application to the lifetime of the ID token issued for the user. You can adjust the lifetime of an ID token to control how often the web application expires the application session, and how often it requires the user to be reauthenticated with Azure AD (either silently or interactively).

    Access Token Lifetime policy controls how long access and ID tokens for this resource are considered valid. Reducing the Access Token Lifetime property mitigates the risk of an access token or ID token being used by a malicious actor for an extended period of time. (These tokens cannot be revoked.) The trade-off is that performance is adversely affected, because the tokens have to be replaced more often.

    To create the policy, run this command:

    PowerShell

    New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00","MaxAgeSessionSingleFactor":"02:00:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"

    Reference: Configurable token lifetimes in Azure Active Directory