Expire authentication tokens for users signed into back-office using an SSO provider if SSO access is revoked

[karlitros]

I’ve got an issue with back-office single sign-on authentication security that I'd like to request an improvement for.

I've implemented an SSO solution for the Umbraco back-office that permits people within our Azure Entra ID to log in.

We’ve implemented this within Umbraco 13.10.1.
We have an appsettings section to provide the various auth endpoints, tokens and secrets for the enterprise application:

"BackofficeIdentityProviders": {
"OurAD": {
"auth_endpoint": https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/oauth2/v2.0/authorize,
"token_endpoint": https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/oauth2/v2.0/token,
"client_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"callback_path": "/umbraco-signin-ourad-microsoft/"
}
}

We have a class that pulls these keys and attaches to the back office authentication builder. The class is registered within the ConfigureServices method of startup.cs.

The login process works, and users (provided they are assigned access in our enterprise application in Azure Portal) can access the back office.

The problem

Once logged in, we have identified a requirement whereby when we remove a user account from the enterprise application in Azure, we want the back-office authentication token to expire, and the user to be automatically logged out.

This is a security measure to protect themselves against instances where a login might be hijacked.

We tested whether this was the case by logging in to the back office, removing the logged in account from the enterprise application WHILST logged into the back office, then clicking around for an hour and ten mins (login token expiry is set to 1hr in the database), but the logged in session is still usable until the user logs themselves out, or if they let the session timeout by not doing anything in the back-office for 20 minutes.

Discussion
We believe this can be achieved if there is some sort of periodic token refresh by Umbraco to check that the token is still valid.

We’re setting options.saveTokens = true, and so were hoping that would have some effect, but it hasn’t changed anything, and the problem persists.

Can I please request that tokens expire after the access to the back-office is revoked from Azure Portal's Enterprise Application, or some other identity provider, by implementing some sort of token refresh functionality?