Azure MFA in Cordova app that uses JWT OAuth 2.0 t

2019-08-02 17:17发布

I am developing a Cordova app that has (until now) used a password grant to retrieve JWTs from Microsoft's standard OAuth provider in Azure:

https://login.microsoftonline.com/[tenant]/oauth2/token

It works fine. However, we are opening up our application to outside traders, and the owner wants MFA added.

So, I have created an MFA provider in Azure, I have enabled a test account for MFA.

I am currently opening the redirect request using the InAppBrowser plugin - which seems to work - it opens to the login page, it texts, I put the code in, and then it completes login to the "Applications" splash screen (Default Azure login for users).

My issue is identifying that login was successful, and retrieving JWTs. Because of the MFA, the login server now returns the following "MFA" error on initial login (not really an error):

interaction_required

However, once MFA is completed, I have no idea where to go to get my token/refresh token. If I resubmit login, it just sends back an "interaction_required" message, even if "Do Not Ask Again For [X] Days" is selected during the MFA process.

I hope the issue is clear. Let me know if not and I'll revise as necessary.

I am not currently using ADAL or any cordova plugins for authentication. I am hitting the endpoints on my own. The answer may be that I have to use ADAL.

1条回答
走好不送
2楼-- · 2019-08-02 17:19

Ok guys, here's the issue. Since I was using password grants, I was not hitting the /oauth2/authorize endpoint - it's not required with password grants - you go straight to /oauth2/token...

With MFA, /oauth2/authorize is mandatory. If MFA is enabled, it redirects and handles everything for you (very simple). You simply await your redirect url, the auth code is a query parameter, and thus is very easy to extrapolate.

After the browser redirects, you grab the authorization code, and then submit it to the /oauth2/token server, without username/password (Authorization header also not required, which is good because you don't have to ask for it twice - once for MFA, and once to pass in to /token - good call Microsoft).

Flow

testMFA = function () {
var url = "https://login.microsoftonline.com/[tenantID]/oauth2/authorize?client_id=[clientID]&response_type=code&response_mode=query";;
var target = "_blank";
var options = "location=yes";
inAppBrowserRef = cordova.InAppBrowser.open(url, target, options);
with (inAppBrowserRef) {
    try {
        addEventListener('loadstart', loadStartCallBack);
        addEventListener('loadstop', loadStartCallBack);
        addEventListener('loaderror', loadStartCallBack);
        addEventListener('exit', loadStartCallBack);
    }
    catch (ex) {
        alert(ex);
    }
}

}

Then, in 'loadStartCallBack':

else if (event.url.split('/')[2] == '[returnURLWithoutHttps://]') {
        var fullstring = event.url.split('/')[3].split('?code=')[1] 
        var code = fullstring.split('&')[0];
        var sess_state = fullstring.split('session_state=')[1];
        localStorage.tokenCode = code;
        sessionStorage.sess_state = sess_state;
        inAppBrowserRef.close();
        getToken();
    }

You then pass the authorization code into the /oauth2/token server, and receive back your token (I am leaving in password grant stuff commented, for future readers that started at a password grant):

var data =
'resource=[resourceURL]' +
//'&username=' + window.sessionStorage.loginUser + 
//'&password=' + password +
'&client_id=' + clientId +
'&code=' + authCode +
'&grant_type=authorization_code' + 
//'&grant_type=password';
'&response_type=token';
var dataFinal = encodeURI(data);

That's it. Hope it helps someone some day.

查看更多
登录 后发表回答