How to get continuation_token on the first step from Native authentication API reference?

Rodion Liuborets 0

I did everything step-by-step from https://learn.microsoft.com/en-us/entra/identity-platform/reference-native-authentication-api

I need only Sign-in logic. On the first step I make request

POST https://{tenant_subdomain}.ciamlogin.com/{tenant_subdomain}.onmicrosoft.com/oauth2/v2.0/initiate
Content-Type: application/x-www-form-urlencoded

client_id=00001111-aaaa-2222-bbbb-3333cccc4444
&challenge_type=password redirect
&username=contoso-consumer@contoso.com

And I expected Success Response with continuation_token. But I always get challenge_type = redirect. I need token to make next steps and finally get tokens to use on my backend-api.

I created app, users as in article. Where should I configure to get continuation_token ? Because I do not need redirect. We will use our custom front for Authentication. Thx for response.

Navya 12,650 Reputation points Microsoft Vendor

2024-07-24T14:22:42.7133333+00:00

Hi @Rodion Liuborets

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

1 answer

Navya 12,650 Reputation points Microsoft Vendor

2024-07-15T10:00:49.1866667+00:00

Hi @Rodion Liuborets

Thank you for posting this in Microsoft Q&A.

I understand you want get continuation_token on the first step from Native authentication API.

We will get challenge_type = redirect If an app can't support a required authentication method by Microsoft Entra, a fallback to the web-based authentication flow is needed. In this scenario, Microsoft Entra informs the app by returning a redirect challenge type in its response.

Microsoft Entra's native authentication API supports sign-up and sign-in for two authentication methods:

1.Email with password, which supports sign-up and sign-in with an email and password, and self-service password reset (SSPR).

2.Email one-time passcode, which supports sign-up and sign-in with email one-time passcode.

The value is expected to oob redirect for email one-time passcode and oob password redirect for email with password authentication method.

Could you please confirm which authentication method you are using: Email with password or Email one-time passcode? Also, can you ensure that the same authentication method is used for both sign-up and sign-in?

If you are using Email with password The user that you use to sign in has to be created via an email with password user flow. For a given authentication method, the challenge type values an app sends to Microsoft Entra during sign-up flow are same to when the app signs in. For example, the email with password authentication method uses oob, password and redirect challenge type values for both sign-up and sign-in flows.

Thanks,

Navya
Please sign in to rate this answer.

1 person found this answer helpful.
Rodion Liuborets 0 Reputation points

2024-07-17T09:38:10.26+00:00

Hi . Thx for your response. I use Email with password.
I created test user manually from web and I want only sign-in flow. I do not need sign-up.

I have to integrate sign-in flow to my existing application.

The whole flow will be -

We create user on our external app.

We will add this user manually to Entra to our tenant and application or maybe will use API (to connect user to Entra application after creation, if such API existed). It can be any type of user. Someone is already has Microsoft account and we need only add him. Someone we will have to create Microsoft account and give access to login.

Then we will give link through email and this user have to login to our app through Entra.

Our app will get tokens and validate it.

Is it possible to do ? Or maybe I missed some required steps ?
We need such flow because we will have several types of user. Someone with existing Microsoft acc, someone new. So we decided to do such flow.

Navya 12,650 Reputation points Microsoft Vendor

2024-07-18T11:34:59.92+00:00

Hi @Rodion Liuborets

Thank you for following up on this.

For sign-in flow, register a customer user, which you use for testing the sign-in APIs. Alternatively, you can get this test user after you run the sign-up flow. Ensure that external users are created using the sign-in method to avoid utilizing the sign-up flow.

After creating a user, utilize the Sign-in API to obtain a continuation token.

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

Rodion Liuborets 0 Reputation points

2024-07-18T12:24:01.8933333+00:00

Hi Navya. Thx for your detailed response. I'll do the same step by step and hope it will work.)
Maybe I missed a bit with creating user.

I will repeat question from my last message.

Login flow will be -

We create user on our external app.

We will add this user manually to Entra to our tenant and application or maybe will use API (to connect user to Entra application after creation, if such API existed). It can be any type of user. Someone is already has Microsoft account and we need only add him. Someone we will have to create Microsoft account and give access to login.

Then we will give link through email and this user have to login to our app through Entra.

Our app will get tokens and validate it.

Is it possible to do ?
Or maybe I missed some required steps ?

I am interested in the second step. Will I be able to add this user through some API or I should implement sign-up flow to add user to this application? I need to do it before login. I will implement sign-up ( random password + email) after creating user on my app and send link to users email with SSPR. User will reset password and then will be able to login.

What is your opinion about such flow ?

Navya 12,650 Reputation points Microsoft Vendor

2024-07-22T11:55:12.2266667+00:00

Hi @Rodion Liuborets

Thank you for following up on this.

Yes, the steps you provided are correct for implementing the login flow. In External tenants it's important to add a self-service sign-up experience to the apps you build for consumers. You can do so by configuring self-service sign-up user flow. If a user already has an account associated with an email in your external tenant, they will be able to sign in. Users not existing in the external tenant will need to sign up.

Are you creating users instead of user self-sign-up? Self-service sign-up is a crucial feature for External ID workforce and customer scenarios. It provides partners, consumers, and other external users with a seamless method to register and gain access to your applications without requiring any action from you. Self-service password reset (SSPR) in Microsoft Entra External ID gives customers the ability to change or reset their password, with no administrator or help desk involvement.

When self-service password reset is enabled, users will encounter a sign-in page similar to the one described below.

For your reference: Self-service sign-up

Thanks,

Navya.

Rodion Liuborets 0 Reputation points

2024-08-20T16:43:59.7066667+00:00

Hi, Navya.

Thx for your response and help.
Now I got another problem )
First 2 steps of my Sign-In flow work excellent. But for 3rd step to get tokens - I always get such response without any details.

First two steps always return continuation_tokens and work good. Maybe I missed something in my settings ? Help please )

{"status":"error","message":"HTTP\/1.1 400 Bad Request returned for \u0022https:\/\/******.ciamlogin.com\/*******.onmicrosoft.com\/oauth2\/v2.0\/token\u0022."}

Rodion Liuborets 0 Reputation points

2024-08-20T16:52:23.77+00:00

I found something similar here
https://stackoverflow.com/questions/78395698/why-do-i-get-a-400-bad-request-when-requesting-an-access-token-from-azure-b2c

But I am not sure, that we have the same case. Waiting for your response.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to get continuation_token on the first step from Native authentication API reference?

1 answer

Your answer