Search code examples
azureoauth-2.0azure-ad-graph-apimulti-factor-authentication

Azure oauth v2.0 interaction_required error with trusted ip and MFA

I have set up this Azure AD authentication workflow on my web server :

1 - The user login from this url :

https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize?
    client_id={client_id}
    &redirect_uri=https://example.com/callback
    &scope=openid%20https%3A%2F%2Fgraph.windows.net%2Fuser.read
    &response_mode=query
    &response_type=code

2 - (MFA) The user submit a form with a code received on its phone

3 - The user is redirected to https://example.com/callback?code={azure_given_code}

4 - I exchange the {azure_given_code} for a token via the following POST request server side :

POST https://login.microsoftonline.com/{tenant_id}/oauth2/token

{
    "client_id": "{client_id}",
    "client_secret": "{client_secret}",
    "code": "{azure_given_code}",
    "grant_type": "authorization_code",
    "redirect_uri": "https://example.com/callback"
}

5 - I receive an access token and can retrieve the logged-in user from this url, again, server side :

https://graph.windows.net/me?api-version=1.6

I added our office ip address to the trusted ip list so that users can bypass MFA when connecting from our network.

Everything works fine if I am doing this workflow outside of the office network (from an untrusted ip that triggers MFA). But with my office ip, the step 2 is bypassed (as expected) and at step 3 I get the following error :

{
    "error": "interaction_required",
    "error_description": "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access …",     "error_codes": [50076],
    "timestamp": "2020-03-13 12:54:58Z",
    "trace_id": '...'
}

What am I missing here to have this workflow working in both case (from a trusted and untrusted ip) ?

I am really stuck with this issue, many thanks for your help.

Solution

  • Here is how I solved my problem.

    When the user is redirected to the login url https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize?... his IP is used to determine whether or not he can bypass the MFA according to trusted ip rules.

    Then when the azure_given_code is retrieved, the request for the token is made server side, using the server IP which is the cause of the error (server IP is not a trusted one).

    Doing the POST https://login.microsoftonline.com/{tenant_id}/oauth2/token client side did solve the issue since the IP used for the request is a trusted one.

    EDIT

    In this case, you should not expose your client_secret front-side. You should configure your app in azure as a single-page application platform.