How can we improve Azure Active Directory?

← Azure Active Directory

Invalidate JWT Token

Need a way to invalidate JWTTokens that have been issued to a user to prevent the user from accessing the AAD with the token after issuing the OAuth logout request:
(https://login.windows.net/{{tenant}}/oauth2/logout?post_logout_redirect_uri={{RedirectUri}})

55 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Mohammed Sabeer shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

3 comments

Attach a File
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Erwen commented  ·   ·  Flag as inappropriate

    Our devs just noticed this. They are able to copy the token to someone else and re-use it to log in without authenticating again. This is a huge security vulnerability.

  • William McKenzie commented  ·   ·  Flag as inappropriate

    This would be great for tokens grant to service principals, too. We do our best to keep tokens our the logs for the devops pipeline, but if we know we could revoke a token at the end of the job, it would greatly reduce the risk of accidently logging the wrong thing.

Azure Active Directory: Other

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice