Azure-docs: AAD: Revoke / Invalidate access tokens
- Product: Azure Active Directory
- Documentation link: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code
- Feedback: The document does not describe how an access token can be explicitly revoked / invalidated.
Example: A client application uses the OAuth 2.0 code grant flow to obtain an access token. Once the user is done with their work, the "logout" action needs to invalidate the access token.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 2870d4a9-e204-023a-56a8-c34e56347b43
- Version Independent ID: 846fe3ae-21cb-e030-f68f-db73acef0c74
- Content: Understand the OAuth 2.0 authorization code flow in Azure AD
- Content Source: articles/active-directory/develop/active-directory-protocols-oauth-code.md
- Service: active-directory
- GitHub Login: @CelesteDG
- Microsoft Alias: celested
drinkbird
All 7 comments
@drinkbird Thank you for the valuable feedback,we are investigating the issue.
AdamS-MSFT
on 1 Aug 2018
@drinkbird Unfortunately currently we don't have a specific revocation API. However, you can set access token lifetime based on your requirement. Please refer to this document for the same - Azure Active Directory v2.0 tokens reference.
Also please upvote below Azure Feedback request regarding Invalidate JWT Token. This will allow the product team to further prioritize it and include into their plans.
MohitGargMSFT
on 2 Aug 2018
@drinkbird We will now proceed to close this thread. If there are further questions regarding this matter, please open a new issue and we will gladly continue the discussion.
MohitGargMSFT
on 3 Aug 2018
Thank you for your response @MohitGargMSFT
drinkbird
on 6 Aug 2018
Unfortunately currently we don't have a specific revocation API. However, you can set access token lifetime based on your requirement.
Thanks for clarifying. Along similar lines, I'm wondering if it's possible for a third party to disconnect their app from a users account? Will "logging out" have that effect?
thadwoodman
on 12 Sep 2018
@MohitGargMSFT What exactly does deleting the OAuth2PermissionGrant entity for the user do? Will it revoke the refresh token?
dterei
on 10 Oct 2018
Thanks for clarifying. Along similar lines, I'm wondering if it's possible for a third party to disconnect their app from a users account? Will "logging out" have that effect?
No it will not log out since i am also facing the same issue where after logout from the application old request are still valid
rahulshukla422
on 19 Apr 2019
Related issues
bdcoder2
·
3Comments
spottedmahn
·
3Comments
jebeld17
·
3Comments
monteledwards
·
3Comments
jharbieh
·
3Comments
Most helpful comment
@drinkbird Unfortunately currently we don't have a specific revocation API. However, you can set access token lifetime based on your requirement. Please refer to this document for the same - Azure Active Directory v2.0 tokens reference.
Also please upvote below Azure Feedback request regarding Invalidate JWT Token. This will allow the product team to further prioritize it and include into their plans.
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/19474918-invalidate-jwt-token