locked
Azure AD Token Validation RRS feed

  • Question

  • I'm working on setting up an Authentication Endpoint that uses Azure AD for the identity provider.  I have everything working but one question I have is if I create an authToken that's good for an hour and 5 minutes but then five minutes later I delete the key that was used to create the authToken now we can't create authTokens which is good.  But if I have other API calls that validate the authToken they will all validate the previously created token successfully and return data.  This seems insecure since if someone bad got ahold of the clientId and appKey then I wouldn't be able to shut them out of my application without shutting down IIS and bringing everyone down.  Am I missing something or is this just how it works.
    Friday, January 13, 2017 9:29 PM

Answers

  • After hearing back from Microsoft my understanding has now been confirmed.  The below quote is from this article from Microsoft.

    "Access tokens cannot be revoked and are valid until their expiry. A malicious actor that has obtained an access token can use it for extent of its lifetime. Adjusting access token lifetime is a trade-off between improving system performance and increasing the amount of time that the client retains access after the user’s account is disabled. Improved system performance is achieved by reducing the number of times a client needs to acquire a fresh access token. "

    • Marked as answer by bsmith95610 Tuesday, February 7, 2017 9:23 PM
    Tuesday, February 7, 2017 9:23 PM

All replies

  • Hello,

    We are checking on the query and would get back to you soon on this. I apologize for the inconvenience and appreciate your time and patience in this matter.

    Regards,
    Sumanth BM

    Saturday, January 14, 2017 6:13 PM
  • Hello,

    You may see this link - http://www.cloudidentity.com/blog/2014/03/03/principles-of-token-validation/ to understand the token validation mechanism.

    Also, refer to SO link - http://stackoverflow.com/questions/30785029/validate-access-token-for-web-api-protected-by-azure-ad and How to manually validate JWT access token in a Web API - https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapi-manual-jwt-validation/

    I hope that the reply will assist you in getting your query addressed. In case you require further assistance, please do reply to the thread as we are always available to your queries.

    Best Regards
    Sadiqh Ahmed
    ________________________________________________________________________________________________
    If this post was helpful to you, please up vote it and/or mark it as an answer so others can more easily find it in the future

    Sunday, January 15, 2017 5:46 PM
  • Sadiqh,

    I read the articles that you sent me but my original question is still the same.  For example if I read the article on understanding the token validation principles.  It validates that the token is well-formed, that the claim is coming from the intended authority, and in the claims that it's meant for the current application. But if someone got a hold of a token that was say good for 45 more minutes they could use that token for 45 minutes for any API call for that application.  I would have no way of locking that person out of my system without stopping IIS.  Even if I deleted the key that was used in Azure AD for creating the authentication token that still wouldn't matter that would just mean no more authentication tokens could be created but it wouldn't mean that any previously created tokens were invalid.  Is my understanding correct?

    Monday, January 16, 2017 6:28 PM
  • After hearing back from Microsoft my understanding has now been confirmed.  The below quote is from this article from Microsoft.

    "Access tokens cannot be revoked and are valid until their expiry. A malicious actor that has obtained an access token can use it for extent of its lifetime. Adjusting access token lifetime is a trade-off between improving system performance and increasing the amount of time that the client retains access after the user’s account is disabled. Improved system performance is achieved by reducing the number of times a client needs to acquire a fresh access token. "

    • Marked as answer by bsmith95610 Tuesday, February 7, 2017 9:23 PM
    Tuesday, February 7, 2017 9:23 PM