Share via

Invalidate Authorization Code after Use

Learner-6009 0 Reputation points
2024-12-16T08:44:03.72+00:00

I have a question regarding the behavior of authorization codes in Azure AD B2C. Specifically, I would like to understand whether it is possible to invalidate an authorization code immediately after it has been exchanged for an ID token.

In my testing, I used tools such as Burp Suite to simulate repeated requests using the same authorization code. I observed that I could successfully reuse the same code multiple times to obtain an ID token, which seems counter to the expected behavior.

My understanding is that an authorization code should be single-use and should expire immediately after it is redeemed.

However, in this case, the authorization code remains valid for up to 10 minutes, allowing it to be reused during that time window.

This could potentially pose a security risk, as a compromised or intercepted authorization code could be exploited to repeatedly obtain tokens.

Could you confirm whether this is the intended behavior for Azure AD B2C? If so, are there any configuration options or best practices to ensure that authorization codes are invalidated immediately after use?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,656 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Navya 14,040 Reputation points Microsoft Vendor
    2024-12-16T16:59:14.9833333+00:00

    Hi @Learner-6009

    Thank you for posting this in Microsoft Q&A.

    I understand your question is whether it is possible to invalidate an authorization code immediately after it has been exchanged for an ID token in Azure AD B2C, and if there are any configuration options or best practices to ensure that authorization codes are invalidated immediately after use.

    Based on the documentation at https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow#1-get-an-authorization-code it seems that Azure AD B2C does not invalidate authorization codes immediately after they are exchanged for an ID token. Instead, authorization codes remain valid for up to 10 minutes. This is expected behavior.User's image

    Unfortunately, there is options to ensure that authorization codes are invalidated immediately after use. However, one best practice is to use PKCE (Proof Key for Code Exchange) with authorization codes, which adds an additional layer of security by requiring a secret key to be generated and used during the authorization code exchange process.

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.