Can Azure AD ADAL (ios) refresh token be revoked from the client?

Question

I am trying to use ADALiOS in an iOS app. I also want to have a logout button so that, if needed, the user can elect to logout from the app. The best way, I think, would be to revoke the refresh token (the access token is short-lived and can't be revoked), which ideally should also revoke the token and do clean up on the server-side.

I tried Azure AD docs, searched in the source code (and in general searched elsewhere), but couldn't find any mention of refresh token revocation in ADAL.

Can a refresh token be revoked in ADAL? What is the best way to log a user out?

Answer 1

Yes. From Best Practices for OAuth 2.0 in Azure AD:

Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. The client application needs to expect and handle errors returned by the token issuance endpoint correctly. When you receive a response with a refresh token error, discard the current refresh token and request a new authorization code or access token. In particular, when using a refresh token in the Authorization Code Grant flow, if you receive a response with the interaction_required or invalid_grant error codes, discard the refresh token and request a new authorization code.

Also I remember Vittorio mentioning in his blog post (ADAL 3 didn’t return refresh tokens for ~5 months… and nobody noticed) that ADAL 3 doesn't even return refresh tokens. I guess the general recommendation is not to take any dependency on refresh tokens in your application.

Regarding logging out the user, please see this thread: ADAL: W8.1 app trying to log user out, though this thread is for Windows Phone app.

Answer 2

Based on the link Gaurav provided, here is the logout code for ADAL Objective-c, for the sample app provided by Azure AD:

In viewcontroller:

- (IBAction)logoutUser:(id)sender
{
    [self.unifiedEndpointClient logoutUser];
}

In O365UnifiedEndpointOperations:

-(void)logoutUser
{
    AuthenticationManager *authenticationManager = [AuthenticationManager sharedInstance];
    [authenticationManager removeTokenWithResourceId:_resourceID
                                          withTenant:TENANT_STRING];
}

In AuthenticationManager:

-(void) removeTokenWithResourceId:(NSString *)resourceId
                       withTenant:(NSString *)tenant
{
    [self.authContext.tokenCacheStore removeAllWithError:nil];

    NSURLSession *urlSession = [NSURLSession sessionWithConfiguration: [NSURLSessionConfiguration defaultSessionConfiguration]
                                                             delegate: nil
                                                        delegateQueue: [NSOperationQueue mainQueue]];
    NSURL *url = [NSURL URLWithString: [NSString stringWithFormat: @"https://login.windows.net/%@/oauth2/logout", tenant]];
    [[urlSession dataTaskWithURL:url
               completionHandler:^(NSData *data, NSURLResponse *response, NSError *error)
               {
               }] resume];
}