How to validate the user id token after user password changes in AD B2C
Question
I am creating a user in AD B2C local account and able to generate the user id token for the created user with https://login.microsoftonline.com/{{My_Domain_Name}}.onmicrosoft.com/oauth2/token/ and I am using this token to Get the User profile https://graph.windows.net/{{My_Domain_Name}}.onmicrosoft.com/users/{{USER_ID}}?api-version=1.6 . Now if I change the user's password and keep the old user id token I am still able to access the user profile , is there a way to restrict the Get User with the old token ?
1 answers
solution1
0 ACCPTED 2020-12-01 06:49:32
Move comments to answers for more people's reference.
Firstly, you are using access token to access the user profile. Access token cannot be revoked. But you could revoke the refresh token, then user will lose access to AAD when the old access token expires. The default expiration is 1 hour.
See reference here .
So you cannot restrict the Get User with the old token immediately, after you took the above steps:
For applications using access tokens, the user loses access when the access token expires .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.