How do I get my angular application to work with b2c “revoke session” button which I can press in the Azure portal

Question

My use case is to be able to forcibly require users to log in again both from a lost device/account compromised situation but also to update their cached user account which we enrich with additional information in our Angular app.

In Azure B2C I have available several administration buttons including the [Revoke Sessions]. Behind the scenes this calls the graph function as described here (which my API can call programmatically later):- https://docs.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=csharp

In my Angular application, I cannot get this to force my user to log in again on subsequent calls for secured resources. I am expecting that when I make any call after pressing this button, it would send back a failure code that I could trap in an interceptor or similar.

The documentation is not clear & I am not even sure if I am misinterpreting how the action works. I have looked at various answers including one about skewing time and customising the basic susi flow but that seems excessive for something which should be a common use case.

I am using the published sample available at the following location with changes to point it to my B2C area. Which has standard flows configured. The issue occurs with the MSAL 1 and 2 code - neither work for this.

https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-angular-v2-samples/angular11-b2c-sample

Using this code with my settings, I am able to sign into B2C using the with a created account, edit my profile and view my example secured api.

Within the B2C environment I press the revoke session button. On the client I try calling my api again and it just calls it as before.

I suspect the change has to go into this part of app.component.ts sample:-

      this.msalBroadcastService.msalSubject$
      .pipe(
        filter((msg: EventMessage) => msg.eventType === EventType.LOGIN_FAILURE || msg.eventType === EventType.ACQUIRE_TOKEN_FAILURE),
        takeUntil(this._destroying$)
      )
      .subscribe((result: EventMessage) => {
        console.log(result);
        if (result.error instanceof AuthError) {
          // Check for forgot password error
          // Learn more about AAD error codes at https://docs.microsoft.com/azure/active-directory/develop/reference-aadsts-error-codes
          if (result.error.message.includes('AADB2C90118')) {

            // login request with reset authority
            let resetPasswordFlowRequest = {
              scopes: ["openid"],
              authority: this.policies.authorities.forgotPassword.authority,
            }

            this.login(resetPasswordFlowRequest);
          }
        }
      });

The documentation with that sample points you to here for other events:- https://docs.microsoft.com/en-gb/azure/active-directory/develop/reference-aadsts-error-codes but again there is nothing mentioned about what to expect from revoke.

What am I missing and how can I get the sample application to force someone to log in again when they try to access a protected resource after that button has been pressed?

Thank you

Answer 1

Azure AD can apply policies, including revoked sessions only when the next request for sign-in or acquiring access token is made.

AAD today works in a stateless mode, so if a user is active in their web app because the session is based upon cookies that are still valid, and/or Access tokens still haven't run through their validity (they are valid for 1 hr after issuance by default), there is no server side mechanism to force sign out a user or invalidate an issued Access token.