search

AzureAD / microsoft-identity-web

Helps creating protected web apps and web APIs with Microsoft identity platform and Azure AD B2C
MIT License
677 stars 209 forks source link

Invalidate access token upon SignOut #1403

Open david-palladino opened 3 years ago

david-palladino commented 3 years ago

Would it possible to modify the SignOut method in Microsoft.Identity.Web.UI - AccountController.cs to invalidate the user's access token on the server?

My app using Microsoft.Identity.Web.UI 1.16.0 and Azure AD B2C. It failed a security test because after "MicrosoftIdentity/Account/SignOut" was called the security tester discovered that he was able to continue using the access token found within .AspNetCore.Cookies.

I discovered that Graph Api has a revokeSignInSessions method which at first glance would appear to invalidate the access token but upon more research I see that it only invalidates refresh tokens.

Thanks

jmprieur commented 3 years ago

do you have repro steps @david-palladino ? for instance using this sample? https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C

david-palladino commented 3 years ago

@jmprieur please see this repo with my Blazor Server app here: https://github.com/david-palladino/BlazorServerAzureADB2CApp

You'll just need to update the appsettings.json with the details of your Azure AD B2C tenant before running.

Steps to reproduce issue are: 1) Login 2) Click the "Sign out" link in the upper right of the app.

Thanks.