Native auth MFA (#2167)

Support for email OTP based MFA in native authentication flows.

- Added MFA results and states to the SDK interface
- Business logic & API integration
- Custom error handling for MFA required error during calls to /token
with grant_type=refresh_token
- Private preview warnings in console and documentation
- Unit and E2E production tests

MSAL common PR:
AzureAD/microsoft-authentication-library-common-for-android#2489

---------

Co-authored-by: Yuki-YuXin <[email protected]>

Author: SammyO

changelog

@@ -4,6 +4,7 @@ vNext
 ----------
 -[MINOR] Moving OS version check for passkeys (#2138)
 -[PATCH] Fix Native Auth authority data being persisted across different SDK instances (#2159)
+-[MINOR] Support for email OTP MFA in native authentication (#2167)
 
 Version 5.5.0
 ---------

common

@@ -0,0 +1,99 @@
+//  Copyright (c) Microsoft Corporation.
+//  All rights reserved.
+//
+//  This code is licensed under the MIT License.
+//
+//  Permission is hereby granted, free of charge, to any person obtaining a copy
+//  of this software and associated documentation files(the "Software"), to deal
+//  in the Software without restriction, including without limitation the rights
+//  to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+//  copies of the Software, and to permit persons to whom the Software is
+//  furnished to do so, subject to the following conditions :
+//
+//  The above copyright notice and this permission notice shall be included in
+//  all copies or substantial portions of the Software.
+//
+//  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+//  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+//  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+//  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+//  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+//  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+//  THE SOFTWARE.
+package com.microsoft.identity.nativeauth
+
+import android.os.Parcel
+import android.os.Parcelable
+import com.microsoft.identity.common.java.nativeauth.providers.responses.signin.AuthenticationMethodApiResult
+import com.microsoft.identity.common.java.nativeauth.util.ILoggable
+import com.microsoft.identity.nativeauth.statemachine.states.AwaitingMFAState
+import com.microsoft.identity.nativeauth.utils.serializable
+
+/**
+ * AuthMethod represents a user's authentication methods.
+ */
+data class AuthMethod(
+    // Auth method ID
+    val id: String,
+
+    // Auth method challenge type (oob, etc.)
+    val challengeType: String,
+
+    // Auth method login hint (e.g. [email protected])
+    val loginHint: String,
+
+    // Auth method challenge channel (email, etc.)
+    val challengeChannel: String,
+) : ILoggable, Parcelable {
+    override fun toUnsanitizedString(): String = "AuthMethod(id=$id, " +
+            "challengeType=$challengeType, loginHint=$loginHint, challengeChannel=$challengeChannel)"
+
+    override fun toString(): String = "AuthMethod(id=$id, challengeType=$challengeType, challengeChannel=$challengeChannel)"
+
+    constructor(parcel: Parcel) : this(
+        id = parcel.readString()  ?: "",
+        challengeType = parcel.readString() ?: "",
+        loginHint = parcel.readString() ?: "",
+        challengeChannel = parcel.readString() ?: ""
+    )
+
+    override fun describeContents(): Int {
+        return 0
+    }
+
+    override fun writeToParcel(parcel: Parcel, flags: Int) {
+        parcel.writeString(id)
+        parcel.writeString(challengeType)
+        parcel.writeString(loginHint)
+        parcel.writeString(challengeChannel)
+    }
+
+    companion object CREATOR : Parcelable.Creator<AuthMethod> {
+        override fun createFromParcel(parcel: Parcel): AuthMethod {
+            return AuthMethod(parcel)
+        }
+
+        override fun newArray(size: Int): Array<AuthMethod?> {
+            return arrayOfNulls(size)
+        }
+    }
+}
+
+/**
+ * Converts a list of auth method API response to a list of [AuthMethod] objects
+ */
+internal fun List<AuthenticationMethodApiResult>.toListOfAuthMethods(): List<AuthMethod> {
+    return this.map { it.toAuthMethod() }
+}
+
+/**
+ * Converts an [AuthenticationMethodApiResult] API response to an [AuthMethod] object
+ */
+internal fun AuthenticationMethodApiResult.toAuthMethod(): AuthMethod {
+    return AuthMethod(
+        id = this.id,
+        challengeType = this.challengeType,
+        loginHint = this.loginHint,
+        challengeChannel = this.challengeChannel
+    )
+}

msal/src/main/java/com/microsoft/identity/client/internal/CommandParametersAdapter.java

@@ -72,6 +72,7 @@ import com.microsoft.identity.nativeauth.statemachine.results.ResetPasswordStart
 import com.microsoft.identity.nativeauth.statemachine.results.SignInResult
 import com.microsoft.identity.nativeauth.statemachine.results.SignUpResult
 import com.microsoft.identity.nativeauth.statemachine.states.AccountState
+import com.microsoft.identity.nativeauth.statemachine.states.AwaitingMFAState
 import com.microsoft.identity.nativeauth.statemachine.states.Callback
 import com.microsoft.identity.nativeauth.statemachine.states.ResetPasswordCodeRequiredState
 import com.microsoft.identity.nativeauth.statemachine.states.SignInCodeRequiredState
@@ -334,7 +335,6 @@ class NativeAuthPublicClientApplication(
         )
         return withContext(Dispatchers.IO) {
             try {
-
                 verifyNoUserIsSignedIn()
 
                 if (username.isBlank()) {
@@ -393,7 +393,6 @@ class NativeAuthPublicClientApplication(
                                 )
                             }
                         }
-
                         is SignInCommandResult.CodeRequired -> {
                             Logger.warn(
                                 TAG,
@@ -412,7 +411,6 @@ class NativeAuthPublicClientApplication(
                                 channel = result.challengeChannel
                             )
                         }
-
                         is INativeAuthCommandResult.InvalidUsername -> {
                             SignInError(
                                 errorType = ErrorTypes.INVALID_USERNAME,
@@ -422,7 +420,6 @@ class NativeAuthPublicClientApplication(
                                 errorCodes = result.errorCodes
                             )
                         }
-
                         is SignInCommandResult.PasswordRequired -> {
                             if (hasPassword) {
                                 Logger.warnWithObject(
@@ -446,7 +443,6 @@ class NativeAuthPublicClientApplication(
                                 )
                             }
                         }
-
                         is SignInCommandResult.UserNotFound -> {
                             SignInError(
                                 errorType = ErrorTypes.USER_NOT_FOUND,
@@ -456,7 +452,6 @@ class NativeAuthPublicClientApplication(
                                 errorCodes = result.errorCodes
                             )
                         }
-
                         is SignInCommandResult.InvalidCredentials -> {
                             if (hasPassword) {
                                 SignInError(
@@ -480,7 +475,16 @@ class NativeAuthPublicClientApplication(
                                 )
                             }
                         }
-
+                        is SignInCommandResult.MFARequired -> {
+                            SignInResult.MFARequired(
+                                nextState = AwaitingMFAState(
+                                    continuationToken = result.continuationToken,
+                                    correlationId = result.correlationId,
+                                    scopes = scopes,
+                                    config = nativeAuthConfig
+                                )
+                            )
+                        }
                         is INativeAuthCommandResult.Redirect -> {
                             SignInError(
                                 errorType = ErrorTypes.BROWSER_REQUIRED,
@@ -489,7 +493,6 @@ class NativeAuthPublicClientApplication(
                                 correlationId = result.correlationId
                             )
                         }
-
                         is INativeAuthCommandResult.APIError -> {
                             SignInError(
                                 errorMessage = result.errorDescription,

msal/src/main/java/com/microsoft/identity/nativeauth/AuthMethod.kt

@@ -59,6 +59,12 @@ internal class ErrorTypes {
          */
         const val INVALID_CODE = "invalid_code"
 
+        /*
+         * The INVALID_CODE value indicates the challenge provided by user is incorrect.
+         * The code should be re-submitted.
+         */
+        const val INVALID_CHALLENGE = "invalid_challenge"
+
         /*
          * The USER_NOT_FOUND value indicates there was no account found with the provided email.
          * The flow should be restarted.

msal/src/main/java/com/microsoft/identity/nativeauth/NativeAuthPublicClientApplication.kt

@@ -0,0 +1,72 @@
+package com.microsoft.identity.nativeauth.statemachine.errors
+
+import com.microsoft.identity.nativeauth.statemachine.results.MFAGetAuthMethodsResult
+import com.microsoft.identity.nativeauth.statemachine.results.MFARequiredResult
+import com.microsoft.identity.nativeauth.statemachine.results.MFASubmitChallengeResult
+
+/**
+ * MFA request challenge error. Use the utility methods of this class
+ * to identify and handle the error. This error is produced by
+ * [com.microsoft.identity.nativeauth.statemachine.states.MFARequiredState.requestChallenge] and
+ * [com.microsoft.identity.nativeauth.statemachine.states.AwaitingMFAState.requestChallenge].
+ * @param errorType the error type value of the error that occurred.
+ * @param error the error returned by the authentication server.
+ * @param errorMessage the error message returned by the authentication server.
+ * @param correlationId a unique identifier for the request that can help in diagnostics.
+ * @param errorCodes a list of specific error codes returned by the authentication server.
+ * @param exception an internal unexpected exception that happened.
+ */
+class MFARequestChallengeError(
+    override val errorType: String? = null,
+    override val error: String? = null,
+    override val errorMessage: String?,
+    override val correlationId: String,
+    override val errorCodes: List<Int>? = null,
+    val subError: String? = null,
+    override var exception: Exception? = null
+): MFARequiredResult, BrowserRequiredError, Error(errorType = errorType, error = error, errorMessage= errorMessage, correlationId = correlationId, errorCodes = errorCodes, exception = exception)
+
+/**
+ * MFA get authentication methods error. Use the utility methods of this class
+ * to identify and handle the error. This error is produced by
+ * [com.microsoft.identity.nativeauth.statemachine.states.MFARequiredState.getAuthMethods]
+ * @param errorType the error type value of the error that occurred.
+ * @param error the error returned by the authentication server.
+ * @param errorMessage the error message returned by the authentication server.
+ * @param correlationId a unique identifier for the request that can help in diagnostics.
+ * @param errorCodes a list of specific error codes returned by the authentication server.
+ * @param exception an internal unexpected exception that happened.
+ */
+class MFAGetAuthMethodsError(
+    override val errorType: String? = null,
+    override val error: String? = null,
+    override val errorMessage: String?,
+    override val correlationId: String,
+    override val errorCodes: List<Int>? = null,
+    val subError: String? = null,
+    override var exception: Exception? = null
+): MFAGetAuthMethodsResult, BrowserRequiredError, Error(errorType = errorType, error = error, errorMessage= errorMessage, correlationId = correlationId, errorCodes = errorCodes, exception = exception)
+
+/**
+ * MFA submit challenge error. The user should use the utility methods of this class
+ * to identify and handle the error. This error is produced by
+ * [com.microsoft.identity.nativeauth.statemachine.states.MFARequiredState.submitChallenge]
+ * @param errorType the error type value of the error that occurred.
+ * @param error the error returned by the authentication server.
+ * @param errorMessage the error message returned by the authentication server.
+ * @param correlationId a unique identifier for the request that can help in diagnostics.
+ * @param errorCodes a list of specific error codes returned by the authentication server.
+ * @param exception an internal unexpected exception that happened.
+ */
+class MFASubmitChallengeError(
+    override val errorType: String? = null,
+    override val error: String? = null,
+    override val errorMessage: String?,
+    override val correlationId: String,
+    override val errorCodes: List<Int>? = null,
+    val subError: String? = null,
+    override var exception: Exception? = null
+): MFASubmitChallengeResult, Error(errorType = errorType, error = error, errorMessage= errorMessage, correlationId = correlationId, errorCodes = errorCodes, exception = exception)
+{
+    fun isInvalidChallenge(): Boolean = this.errorType == ErrorTypes.INVALID_CHALLENGE
+}

msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/errors/Error.kt

@@ -0,0 +1,73 @@
+//  Copyright (c) Microsoft Corporation.
+//  All rights reserved.
+//
+//  This code is licensed under the MIT License.
+//
+//  Permission is hereby granted, free of charge, to any person obtaining a copy
+//  of this software and associated documentation files(the "Software"), to deal
+//  in the Software without restriction, including without limitation the rights
+//  to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+//  copies of the Software, and to permit persons to whom the Software is
+//  furnished to do so, subject to the following conditions :
+//
+//  The above copyright notice and this permission notice shall be included in
+//  all copies or substantial portions of the Software.
+//
+//  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+//  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+//  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+//  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+//  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+//  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+//  THE SOFTWARE.
+
+package com.microsoft.identity.nativeauth.statemachine.results
+
+import com.microsoft.identity.nativeauth.AuthMethod
+import com.microsoft.identity.nativeauth.statemachine.states.MFARequiredState
+
+/**
+ * Results related to various MFA operations.
+ */
+interface MFARequiredResult: Result {
+
+    /**
+     * Verification required result, which indicates that a challenge was sent to the user's auth method,
+     * and the server expects the challenge to be verified.
+     *
+     * @param nextState [com.microsoft.identity.nativeauth.statemachine.states.MFARequiredState] the current state of the flow with follow-on methods.
+     * @param codeLength the length of the challenge required by the server.
+     * @param sentTo the email/phone number the challenge was sent to.
+     * @param channel the channel(email/phone) the challenge was sent through.
+     */
+    class VerificationRequired(
+        override val nextState: MFARequiredState,
+        val codeLength: Int,
+        val sentTo: String,
+        val channel: String,
+    ) : MFARequiredResult, Result.SuccessResult(nextState = nextState)
+
+    /**
+     * Selection required result, which indicates that a specific authentication method must be selected, which
+     * the server will send the challenge to (once sendChallenge() is called).
+     *
+     * @param nextState [com.microsoft.identity.nativeauth.statemachine.states.MFARequiredState] the current state of the flow with follow-on methods.
+     * @param authMethods the authentication methods that can be used to complete the challenge flow.
+     */
+    class SelectionRequired(
+        override val nextState: MFARequiredState,
+        val authMethods: List<AuthMethod>
+    ) : MFARequiredResult, MFAGetAuthMethodsResult, Result.SuccessResult(nextState = nextState)
+}
+
+/**
+ * Results related to get authentication methods operation, produced by
+ * [com.microsoft.identity.nativeauth.statemachine.states.MFARequiredState.getAuthMethods]
+ */
+interface MFAGetAuthMethodsResult : Result
+
+/**
+ * Results related to MFA submit challenge operation, produced by
+ * [com.microsoft.identity.nativeauth.statemachine.states.MFARequiredState.submitChallenge]
+ */
+interface MFASubmitChallengeResult : Result

msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/errors/MFAErrors.kt

@@ -23,7 +23,6 @@
 
 package com.microsoft.identity.nativeauth.statemachine.results
 
-import com.microsoft.identity.nativeauth.statemachine.errors.ErrorTypes
 import com.microsoft.identity.nativeauth.statemachine.states.ResetPasswordCodeRequiredState
 import com.microsoft.identity.nativeauth.statemachine.states.ResetPasswordPasswordRequiredState
 import com.microsoft.identity.nativeauth.statemachine.states.SignInContinuationState