|
- Why should you revoke access token? - Stack Overflow
Refresh token use used for OffLine access to the users data when they are not logged in You should have an IdToken if you are using open Id connect that denotes the user is Logged in "Refresh tokens carry the information necessary to get a new access token
- How OAuth 2. 0 Token Revocation Works Why It Matters - Curity
It's essential to handle both access token and refresh token revocation appropriately For instance, when a user logs out or changes their credentials, the associated tokens should be revoked to ensure continued security
- OAuth 2. 0 Refresh Token Best Practices - Stateful
When the authorization server detects a refresh token reuse, it immediately revokes the refresh token and denies access to subsequent requests to the attacker and the legitimate user There is no way to detect if the refresh token is coming from a trusted source, so the legitimate user must authenticate again
- The relationship between revoke a token and signing out
Revoke tokens: ensures that the users Access and Refresh Tokens cannot be reused This is a particularly good idea if you are securing an API with these tokens, as the user will now need to request new tokens to be able to access protected resources
- Refresh Tokens - OAuth 2. 0 Simplified
Access tokens can expire for many reasons, such as the user revoking an app, or if the authorization server expires all tokens when a user changes their password If you make an API request and the token has expired already, you’ll get back a response indicating as such
- How to properly revoke refresh token for a multi-tenant . . .
Now as I understood, you want userA should be able to invalidate the refresh tokens for Tenant B from Tenant A If that's the ask, I don think you can do that as the Access_token and refresh_token pair is issued by the AAD Tenant that authenticates the user while the app is being accessed
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
When the refresh token changes after each use, if the authorization server ever detects a refresh token was used twice, it means it has likely been copied and is being used by an attacker, and the authorization server can revoke all access tokens and refresh tokens associated with it immediately
|
|
|