Token invalidation when users remove consent?

Question

Token invalidation when users remove consent?

I have a client application that uses the microsoft graph api.

In the following scenario:

User registers in the application
The user removes consent when the token is active.
The user takes actions that call the API. The app can still call the API even if the consent has been removed until the token expires after 1 hour.

Should the token be invalid and the API routes should return 401? Is there an API I can call to check if the app has permission? If I'm not sure that as long as the token is active, I can make API calls?

If these users log into our logs, and the logs work again, everything works as expected, as the user must allow the application to have the required scopes.

+3

microsoft-graph

Mike d 18 jul. 17 at 18:40

source to share

1 answer

Marc LaFleur · Accepted Answer · 2017-07-18T19:46:14+0000

That's correct, access tokens cannot be revoked and are valid until they expire. Refresh tokens, however, can be canceled , thereby preventing the application from receiving a new access token.

Token invalidation when users remove consent?

More articles: