fix: force interactive token refresh after permission revocation

* fix: force interactive token refresh after permission revocation

Author: Highbury1993

src/app/services/actions/revoke-scopes.action.ts

@@ -1,12 +1,14 @@
 import { createAsyncThunk } from '@reduxjs/toolkit';
 import { ApplicationState } from '../../../store';
+import { authenticationWrapper } from '../../../modules/authentication';
 import { componentNames, eventTypes, telemetry } from '../../../telemetry';
 import { IOAuthGrantPayload } from '../../../types/permissions';
 import { IUser } from '../../../types/profile';
 import { RevokeScopesError } from '../../utils/error-utils/RevokeScopesError';
 import { translateMessage } from '../../utils/translate-messages';
 import { DEFAULT_USER_SCOPES, REVOKING_PERMISSIONS_REQUIRED_SCOPES } from '../graph-constants';
-import { getConsentedScopesSuccess } from '../slices/auth.slice';
+import { getAuthTokenSuccess, getConsentedScopesSuccess } from '../slices/auth.slice';
+import { fetchAllPrincipalGrants } from '../slices/permission-grants.slice';
 import { setQueryResponseStatus } from '../slices/query-status.slice';
 import { REVOKE_STATUS, RevokePermissionsUtil } from './permissions-action-creator.util';
 
@@ -62,8 +64,21 @@ export const revokeScopes = createAsyncThunk(
       const updatedScopes = await updatePermissions(permissionsUpdateObject);
 
       if (updatedScopes) {
+        // Force token refresh with user interaction to get new token with updated scopes
+        try {
+          const authResponse = await authenticationWrapper.refreshToken(updatedScopes);
+
+          if (authResponse && authResponse.accessToken) {
+            dispatch(getAuthTokenSuccess());
+          }
+        } catch (error) {
+          // Even if refresh fails, we still update the consented scopes
+          // Token will be refreshed on next API call
+        }
+
         dispatchScopesStatus(dispatch, 'Permission revoked', 'Success', 'success');
         dispatch(getConsentedScopesSuccess(updatedScopes));
+        dispatch(fetchAllPrincipalGrants());
         trackRevokeConsentEvent(REVOKE_STATUS.success, permissionToRevoke);
         return updatedScopes;
       } else {

src/messages/GE.json

@@ -457,7 +457,7 @@
   "No samples found": "We did not find any sample queries",
   "You require the following permissions to revoke": "You require Directory.Read.All and DelegatedPermissionGrant.ReadWrite.All to be able to revoke consent to permissions",
   "Cannot delete default scope": "Graph Explorer requires this permission for its normal working behavior",
-  "Permission revoked": "Permission revoked successfully. Sign out and sign in again for these changes to take effect. These changes may take some time to reflect on your token",
+  "Permission revoked": "Permission revoked successfully. If you don’t see the change right away, sign out and back in. The update may take some time to propagate to your token.",
   "An error occurred when unconsenting": "An error occurred when unconsenting. Please try again",
   "You are unconsenting to an admin pre-consented permission": "You are unconsenting to an admin pre-consented permission. Ask your tenant admin to revoke consent to this permission on Azure AD",
   "Possible error found in URL near": "Possible error found in URL near",

src/modules/authentication/AuthenticationWrapper.ts

@@ -26,6 +26,7 @@ const defaultScopes = DEFAULT_USER_SCOPES.split(' ');
 export class AuthenticationWrapper implements IAuthenticationWrapper {
   private static instance: AuthenticationWrapper;
   private consentingToNewScopes: boolean = false;
+  private revokingScopes: boolean = false;
   private performingStepUpAuth: boolean = false;
   private claimsAvailable: boolean = false;
   private sampleQuery: IQuery = {
@@ -117,11 +118,32 @@ export class AuthenticationWrapper implements IAuthenticationWrapper {
    */
   public async consentToScopes(scopes: string[] = []): Promise<AuthenticationResult> {
     this.consentingToNewScopes = true;
-    // eslint-disable-next-line no-useless-catch
     try {
-      return await this.loginWithInteraction(scopes);
+      const result = await this.loginWithInteraction(scopes);
+      this.consentingToNewScopes = false;
+      return result;
+    } catch (error) {
+      this.consentingToNewScopes = false;
+      throw error;
+    }
+  }
+
+  /**
+   * Forces a token refresh with user interaction to ensure token reflects updated scopes
+   * This is necessary after permission changes (consent/revoke) to get a fresh token from Azure AD
+   * @param {string[]} scopes - optional scopes to refresh token with
+   * @returns {Promise.<AuthenticationResult>}
+   */
+  public async refreshToken(scopes: string[] = []): Promise<AuthenticationResult> {
+    this.revokingScopes = true;
+
+    try {
+      const result = await this.loginWithInteraction(scopes.length > 0 ? scopes : defaultScopes);
+      this.revokingScopes = false;
+      return result;
     } catch (error) {
-      throw new Error(`Error occurred while consenting to scopes: ${error}`);
+      this.revokingScopes = false;
+      throw error;
     }
   }
 
@@ -255,7 +277,7 @@ export class AuthenticationWrapper implements IAuthenticationWrapper {
       tokenQueryParameters: getExtraQueryParameters()
     };
 
-    if (this.consentingToNewScopes || this.performingStepUpAuth) {
+    if (this.consentingToNewScopes || this.performingStepUpAuth || this.revokingScopes) {
       delete popUpRequest.prompt;
       popUpRequest.loginHint = this.getAccount()?.username;
     }
@@ -295,6 +317,7 @@ export class AuthenticationWrapper implements IAuthenticationWrapper {
     localStorage.removeItem(HOME_ACCOUNT_KEY);
   }
 
+
   /**
    * This is an own implementation of the  clearCache() function that is no longer available;
    * to support logging out via Popup which is not currently native to the msal application.