Token invalidation when users removes consent?

Question

I have a client side application that uses microsoft graph api.

In the following scenario:

1. User Logs into application
2. User removes consent while token is active
3. User performs actions that calls API. App can still call APIs even though consent was removed until token expires after 1 hour

Should the token be invalidated and the API routes should return 401? Is there a API I can call to check if the application has permission? If not am I safe to assume that as long as the token is active I can make API calls?

If this users logs our and logs back in everything works as expected since the user is required to allow the app to the scopes required.

Answer 1

This is correct, Access tokens cannot be revoked and are valid until they expire. Refresh tokens however can be revoked thereby preventing an application from retrieving a new Access Token.