Skip to content

Native auth MFA, AB#2083675, Fixes AB#2083675 #2489

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Sep 20, 2024
Merged

Native auth MFA, AB#2083675, Fixes AB#2083675 #2489

merged 13 commits into from
Sep 20, 2024

Conversation

@SammyO
Copy link
Contributor

@SammyO SammyO commented Aug 28, 2024
edited by azure-boards bot
Loading

Support for email OTP based MFA in native authentication flows.

  • Added MFA results and states to the SDK interface
  • Business logic & API integration
  • Custom error handling for MFA required error during calls to /token with grant_type=refresh_token
  • Private preview warnings in console and documentation
  • Unit and E2E production tests

MSAL PR: AzureAD/microsoft-authentication-library-for-android#2167

AB#2083675

@SammyO SammyO added the Skip-Consumers-Check Only include this if making a breaking change purposefully, and there is an MSAL/ADAL/Broker PR label Aug 28, 2024
@SammyO SammyO mentioned this pull request Aug 28, 2024
Merged
@SammyO
MFA error handling (#2493)
107e2ae 
When MFA is required during a call to /token with
grant_type=refresh_token, we need some native auth specific handling to
inform developers on how to handle this error.

**Note**: Ideally I'd like to store the `50076` error code in a
dedicated file, but I'm unsure what to call such a file, as
`OAuth2ErrorCode` already exists. IMO this class name is wrong, as these
are OAuth2 errors, not error codes.
@SammyO
Merge branch 'dev' into sammy/mfa-epic
22ac035
@SammyO SammyO marked this pull request as ready for review September 11, 2024 09:07
@SammyO SammyO requested review from a team as code owners September 11, 2024 09:07
Yuki-YuXin
Yuki-YuXin reviewed Sep 16, 2024
View reviewed changes
...c/main/com/microsoft/identity/common/java/nativeauth/controllers/results/MFACommandResult.kt
override fun toUnsanitizedString(): String = "VerificationRequired(correlationId=$correlationId, codeLength=$codeLength, challengeTargetLabel=$challengeTargetLabel, challengeChannel=$challengeChannel)"

override fun toString(): String = "VerificationRequired(correlationId=$correlationId, codeLength=$codeLength, challengeChannel=$challengeChannel)"
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe challengeChannel is sensitive?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so. challengeChannel is email, phone, etc.

nilo-ms
nilo-ms reviewed Sep 20, 2024
View reviewed changes
...va/com/microsoft/identity/common/nativeauth/internal/controllers/NativeAuthMsalController.kt

try {
// Add default scopes
val mergedScopes: List<String> = addDefaultScopes(parameters.scopes)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

interesting, on iOS we add the default scopes only during the first "signIn(username, password: optional)" SDK call. Then the scopes are stored internally in memory (in the state). Why do you add the default scopes here too?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would indeed be a better approach. Doing that is quite a refactoring in Android, as we pass scopes from one state to the next only if they're set by the developer (see interface classes, e.g. MFAStates. We don't take scopes from the result of an API call; but moreover, there is no result of an API call that includes scopes until the final token call is successful.
In signInSubmitCode we currently also set default scopes.

nilo-ms
nilo-ms reviewed Sep 20, 2024
View reviewed changes
common/src/main/java/com/microsoft/identity/common/nativeauth/internal/util/CommandUtil.java Outdated

/**
* Adds continuation token to [SignInStartCommandParameters] object and returns a new
* [SignInSubmitPasswordCommandParameters] object.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Should this "SignInSubmitCodeCommandParameters" ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, actually this entire comment is wrong.

@github-actions
Copy link

❌ Work item link check failed. Description contains AB#2083675 but the Bot could not link it to an Azure Boards work item.

Click here to learn more.

@github-actions
Copy link

✅ Work item link check complete. Description contains link AB#2083675 to an Azure Boards work item.

@SammyO SammyO changed the title Native auth MFA Native auth MFA, AB#2083675 Sep 20, 2024
@github-actions github-actions bot changed the title Native auth MFA, AB#2083675 Native auth MFA, AB#2083675, Fixes AB#2083675 Sep 20, 2024
@SammyO SammyO merged commit e645bc5 into dev Sep 20, 2024
34 of 36 checks passed
SammyO added a commit to AzureAD/microsoft-authentication-library-for-android that referenced this pull request Sep 20, 2024
@SammyO @Yuki-YuXin
Native auth MFA (#2167)
cbd5e61 
Support for email OTP based MFA in native authentication flows.

- Added MFA results and states to the SDK interface
- Business logic & API integration
- Custom error handling for MFA required error during calls to /token
with grant_type=refresh_token
- Private preview warnings in console and documentation
- Unit and E2E production tests

MSAL common PR:
AzureAD/microsoft-authentication-library-common-for-android#2489

---------

Co-authored-by: Yuki-YuXin <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Yuki-YuXin Yuki-YuXin Yuki-YuXin approved these changes

@fadidurah fadidurah fadidurah approved these changes

@nilo-ms nilo-ms nilo-ms approved these changes

+1 more reviewer

@rmccahill rmccahill rmccahill approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Skip-Consumers-Check Only include this if making a breaking change purposefully, and there is an MSAL/ADAL/Broker PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@SammyO @fadidurah @nilo-ms @Yuki-YuXin @rmccahill