Is it possible to use ROPC to update profile if sign-in was done using Authorization Code with MFA?

Question

We're in the process of migrating our authentication process from ROPC to Authorization Code with MFA. We currently use ROPC for Sign Up, Sign In, Reset Password, Forgot Password, and Profile Edit. Due to the MFA requirement, we need to move the Sign Up, Sign In, Reset Password, and Forgot Password flows over to the Authorization Code flow.

Does anyone know if it will be possible to continue using ROPC for the Profile Edit part? Or will it be blocked because of the MFA requirement?

Answer 1

I agree with @rbrayb, it will be blocked if your Profile Edit user flow has MFA enabled.

You need to use interactive flows like authorization code flow if MFA is enabled for either user flows or users.

To get authorization code, make use of below authorization request:

https://b2ctenant.b2clogin.com/b2ctenant.onmicrosoft.com/B2C_1_ProfileEdit/oauth2/v2.0/authorize?
&client_id=appID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://b2ctenant.onmicrosoft.com/xxxxxx/access_as_user
&state=12345

When I ran above request in browser, it asked for MFA like this:

After completing MFA, it asked to update User Details like below:

Later, it redirected me with authorization code value in address bar like this:

I generated access token using authorization code flow via Postman with below parameters:

POST https://b2ctenant.b2clogin.com/b2ctenant.onmicrosoft.com/B2C_1_ProfileEdit/oauth2/v2.0/token
grant_type:authorization_code
client_id:appID
client_secret:secret
scope: https://b2ctenant.onmicrosoft.com/xxxx/access_as_user openid
code:<code_from_above_Step>
redirect_uri: https://jwt.ms

Response:

When I decoded the token by pasting it in jwt.ms, it has claims like below:

In your case, you cannot use ROPC flow if Profile Edit user flow has MFA enabled. Instead, you have to use interactive flow like authorization code flow for Profile Edit part too.