Invalidate JWT Token
Need a way to invalidate JWTTokens that have been issued to a user to prevent the user from accessing the AAD with the token after issuing the OAuth logout request:
(https://login.windows.net/{{tenant}}/oauth2/logout?postlogoutredirect_uri={{RedirectUri}})

Thanks for the feedback! We will look into this and share an update when we have more information.
4 comments
-
Anonymous commented
Any update on this. We need to implement logout functionality and even after logging out the user I can get response from token.
-
Nitin commented
Any update on when this issue would be closed please?
-
Erwen commented
Our devs just noticed this. They are able to copy the token to someone else and re-use it to log in without authenticating again. This is a huge security vulnerability.
-
William McKenzie commented
This would be great for tokens grant to service principals, too. We do our best to keep tokens our the logs for the devops pipeline, but if we know we could revoke a token at the end of the job, it would greatly reduce the risk of accidently logging the wrong thing.