microsoft-authentication-library-for-android icon indicating copy to clipboard operation
microsoft-authentication-library-for-android copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Refresh Token not invalidated on logout

Open SamC-Apadmi opened this issue 2 years ago • 2 comments

Describe the bug I'm not entirely sure this is a bug, may be user error on my part but on logout the refresh token is not invalidated server side. I can continue using a refresh token after logout.

By proxying I'm also not seeing the SDK attempt to make any network calls to notify the server of the logout.

Smartphone (please complete the following information):

  • Device: OnePlus 8
  • Android Version: 11
  • Browser Chrome
  • MSAL Version: 3.0.2

To Reproduce

  1. Keep hold of the latest refresh token
  2. Logout using the SDK's signout methods on a SingleAccount usage of the SDK on a nonshared device.
  3. Try getting a new access token with the saved refresh token
  4. Observe access token returned, i.e refresh token is still valid after a logout.

Expected behavior Refresh token would no longer work (i.e. couldn't be used to obtain new tokens)

Actual Behavior Refresh token is still valid

Additional context As I mentioned above I'm not convinced this is a bug. I've been digging through existing issues notably this one: https://github.com/AzureAD/microsoft-authentication-library-for-android/issues/185 and this one: https://github.com/AzureAD/microsoft-authentication-library-for-android/issues/1234.

Looking at this: https://stackoverflow.com/questions/63613546/logout-in-azure-ad-b2c-android-using-msal I get the impression the web counterpart does support this functionality? Also that shared device mode seems to do a more thorough clear of tokens https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-android-shared-devices (though I've only glanced through and not verified this).

Just hoping someone can give me some insight? Cheers!

SamC-Apadmi avatar Mar 28 '22 11:03 SamC-Apadmi

@SamC-Apadmi - Sorry for the delay and getting back to you on this one. It's possible that this is not longer on your radar at all. If you remember and can tell me more about your test device configuration that would be great. (Was the device configured in Shared Mode?, Was the Microsoft Authenticator app installed? Etc...)

@negoe - Suggest that we update the github bug template to request the developer upload the logs from either of the broker library hosting applications (Authenticator, Intune Company Portal) as part of the bug report.

shoatman avatar Oct 10 '22 14:10 shoatman

@shoatman Hey there, device was not configured in shared mode, Authenticator app was installed. Though there has been some back and forth between Microsoft and our security team on this and the conclusion was that this SDK is behaving as expected.

I suppose this becomes more of a feature request now for the SDK to call the necessary B2C endpoints to invalidate refresh tokens on logout.

SamCosta1 avatar Oct 11 '22 07:10 SamCosta1

Thank you for taking the time to provide us with your valuable feedback. Unfortunately, the suggested feature is not currently a priority for us to develop. However, we are constantly evaluating and updating our roadmap based on customer feedback and changing market trends, and we will keep your suggestion in mind for future updates.

negoe avatar May 05 '23 05:05 negoe