My use case is to be able to forcibly require users to log in again both from a lost device/account compromised situation but also to update their cached user account which we enrich with additional information in our Angular app.
In Azure B2C I have available several administration buttons including the [Revoke Sessions]. Behind the scenes this calls the graph function as described here (which my API can call programmatically later):- https://docs.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=csharp
In my Angular application, I cannot get this to force my user to log in again on subsequent calls for secured resources. I am expecting that when I make any call after pressing this button, it would send back a failure code that I could trap in an interceptor or similar.
The documentation is not clear & I am not even sure if I am misinterpreting how the action works. I have looked at various answers including one about skewing time and customising the basic susi flow but that seems excessive for something which should be a common use case.
I am using the published sample available at the following location with changes to point it to my B2C area. Which has standard flows configured. The issue occurs with the MSAL 1 and 2 code - neither work for this.
Using this code with my settings, I am able to sign into B2C using the with a created account, edit my profile and view my example secured api.
Within the B2C environment I press the revoke session button. On the client I try calling my api again and it just calls it as before.
I suspect the change has to go into this part of app.component.ts
sample:-
this.msalBroadcastService.msalSubject$
.pipe(
filter((msg: EventMessage) => msg.eventType === EventType.LOGIN_FAILURE || msg.eventType === EventType.ACQUIRE_TOKEN_FAILURE),
takeUntil(this._destroying$)
)
.subscribe((result: EventMessage) => {
console.log(result);
if (result.error instanceof AuthError) {
// Check for forgot password error
// Learn more about AAD error codes at https://docs.microsoft.com/azure/active-directory/develop/reference-aadsts-error-codes
if (result.error.message.includes('AADB2C90118')) {
// login request with reset authority
let resetPasswordFlowRequest = {
scopes: ["openid"],
authority: this.policies.authorities.forgotPassword.authority,
}
this.login(resetPasswordFlowRequest);
}
}
});
The documentation with that sample points you to here for other events:- https://docs.microsoft.com/en-gb/azure/active-directory/develop/reference-aadsts-error-codes but again there is nothing mentioned about what to expect from revoke.
What am I missing and how can I get the sample application to force someone to log in again when they try to access a protected resource after that button has been pressed?
Thank you
Azure AD can apply policies, including revoked sessions only when the next request for sign-in or acquiring access token is made.
AAD today works in a stateless mode, so if a user is active in their web app because the session is based upon cookies that are still valid, and/or Access tokens still haven't run through their validity (they are valid for 1 hr after issuance by default), there is no server side mechanism to force sign out a user or invalidate an issued Access token.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.