0

I set up Azure Active Directory (AAD) based authentication and received Azure AD Oauth token to start exploring Microsoft Dynamics 365 Business Central API (https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/devenv-develop-connect-apps).

Now I need a way to revoke the token (mentioned above) when a user wants to disconnect from my application. I tried to find an endpoint like .../oauth2/deauthorize and send a POST request to it with data={'refresh_token': <my-refresh-token>} and headers={'Authorization': <my-client-id-client-secret-pair>}.

But I didn't manage to find such a solution :( Could anybody please help me

Eugene Reyek
  • 46
  • 3
  • The typical approach is to have the app remove the tokens from its memory and any persistent caches. Usually the only scenario where you would want to revoke existing tokens is if the account is compromised. Not something that is done during standard log out. – juunas Jun 16 '22 at 17:01
  • If refresh_token is still valid, i can use it to get a new access_token and continue getting data from API. I want to prevent that – Eugene Reyek Jun 16 '22 at 20:53

1 Answers1

0

If the user is authenticated he gets access token along with refresh token. You can revoke the refresh token by Using command Powershell

PS C:\> Revoke-AzureADUserAllRefreshToken -ObjectId "a1dxxxxx-7xx6-4xxd-axxx-b7xxxxxxxa33"

Using Microsoft graph API

POST https://graph.microsoft.com/{version}/users/{userobject_id}/invalidateAllRefreshToken`

By doing this user will not be able to access the Dynamic 365 after the access token expires.(1hour) i.e he won't be able to receive another access token by using refresh token.

Access token cannot be revoked but its lifetime or expiration can be configured.

References:

  1. How to revoke token - Microsoft Q&A
  2. Revoke user access in an emergency in Azure Active Directory - Microsoft Entra | Microsoft Docs
RahulKumarShaw
  • 4,192
  • 2
  • 5
  • 11