Is it possible to implement Azure AD B2C Auth using ROPC and MFA?
Microsoft docs pretty much explicitly say "no" (bold added by me):
ROPC doesn’t work when there's any interruption to the authentication flow that needs user interaction. For example, when a password has expired or needs to be changed, multifactor authentication is required, or when more information needs to be collected during sign-in (for example, user consent).
So, before I spend countless hours digging around, I was hoping someone here might be able to quickly settle this for me. Is there any way at all to implement MFA using Azure AD B2C ROPC? Or is it, as Microsoft indicates, flat-out "no"?
The main reason I ask is because that same paragraph suggests that ROPC cannot be used when the password needs to be reset - however, we've been able to implement a workaround for that, by using the Graph API to handle resetting of the password.
Presently, the way we are handling authentication is to call CreatePublicClientApplication().AcquireTokenByUsernamePassword(), and the way we are handling password reset is to call the Graph API with a PATCH request, setting the passwordProfile using the new password.
So - is there a way to basically "tell" Azure AD B2C that the MFA has been handled? My theory is perhaps we could do the following:
- User accesses login page
- User enters username and password
- System uses Graph API (or something else) to invoke an MFA request, causing the text message to be sent to user, and stores identifying handshake information for MFA request
- System temporarily stores the info, and then presents the user with a follow-up prompt saying something along the lines of "enter the code you received on your phone"
- User enters code within acceptable time limit
- System sends code to Graph API to validate
- System passes username, password, and handshake information from Step 3 to log user in
You are right, as mentioned in the MsDoc, ROPC will not work for the users who have enabled with MFA. They will be blocked by the application when they try to login.
I enabled MFA for the user like below:
I generated access token using ROPC flow by using below parameters:
https://login.microsoftonline.com/organizations/oauth2/v2.0/token
client_id:ClientID
scope:https://graph.microsoft.com/.default
username:[email protected]
password:Trash33!
grant_type:password
client_secrer:***
And I got the error like below:
To resolve the error, I disabled MFA and access token got generated successfully:
Note that: The workaround you mentioned doesn't satisfy the ROPC flow with MFA enabled users.
Hence as a workaround. make use of any other user interactive flows such as Authorization Code flow, Implicit flow etc to achieve your scenario.
Generated auth-code like below:
https://b2ctenant.b2clogin.com/b2ctenant.onmicrosoft.com/B2C_1_Signinsignup/oauth2/v2.0/authorize?
&client_id=xxxx
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://b2ctenant.onmicrosoft.com/xxxxx/test.read
&state=12345
Now, I generated access token by using below parameters:
https://b2ctenant.b2clogin.com/b2ctenant.onmicrosoft.com/B2C_1_Signinsignup/oauth2/v2.0/token
client_id:xxxx
grant_type:authorization_code
scope:https://b2ctenant.onmicrosoft.com/xxx/test.read
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
- KeyCloak Integration with Azure B2C UserName Mapping Issue
- How do I programmatically clear or update a phone number for Azure AD B2C MFA?
- B2C - How to override sign up now link (custom policy)
- Azure B2C IdP-Access Token fails with IDX10511: Signature validation failed
- B2C Sign-up screen shows {OIDC:LoginHint} instead of the login
- During signIn receiving B2C error code ‘AADB2C99059’
- Azure B2C / WPF - Handling a failed MFA verification flow
- Assign B2C User to ExternalAzureAD identity
- AADB2C90304: User journey went into a bad state. Claims exchange with id 'LocalAccountSigninEmailExchange' could not be found in orchestration step
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Sign in to Azure B2C with an OpenID account (Microsoft Work email) but prevent user from signing up
- Azure b2c still authenticated after hitting logout
- Can Azure AD B2C send extension attributes without the extension prefix on a SAML token in a SAML IdP-initiated SSO flow?
- Azure B2C Signup page
- Azure B2C integration not working on app built using pwabuilder for iOS
- Azure AD B2C problem with Self-Service password reset
- use of b2clogin.com when acquiring token with Client Credential Grant Flow
- Azure B2C does not receive script information written in HTML files uploaded to storage
- Azure B2C: Edit Profile via a single page
- Azure b2c cutom policy signin validation profile
- Mendix and Azure Ad B2C AuthRequest does not have assertion consumer service URL
- Azure Active Directory B2C: How to query MS Graph to get a user's alternative security ID?
- Did B2C user creation defaults change regarding password reset?
- Refresh Tokens and MicrosoftIdentityWebApp
- ADB2C Social Log in - what is the difference between alternateSecurityId and userIdentity?
- To allow external client application users to access B2C Integrated client website
- Correlation failed in asp.net core
- Custom attribute as stringCollection on Azure AD B2C
- How to get detailed exception in Azure B2C Custom policy by Correlation ID?
- Authenticating with Azure AD B2C Issue