Invoking MFA without invoking login flow for OIDC in Azure AD B2

Pawan Venugopal 0 Reputation points
2024-10-03T04:26:17.27+00:00

UseCase:

Invoke MFA only for certain high risk actions like fund transfer or change settings in an Authenticated Session. i.e user uses Azure AD B2C to login to our app with is configured with MFA. Once the user has successfully authenticated I would like to invoke MFA without invoking login flow for OIDC.

For Example in the below code, If the user is alredy logged it and MFA verified it does not re-prompt for MFA.


app.use('/auth/2fa', ensureLoggedIn, (req,res) =>{
    console.log ("******In MFA Page******");
    const state = JSON.stringify({ action: 'secure_page', targetURL: '/secure_page' });
    const nonce = crypto.randomBytes(16).toString('hex');
   
    passport.authenticate('oidc', {
      scope: ['openid', 'profile', 'email'],
      state:  state,
      nonce: nonce,
      acr_values: 'http://schemas.openid.net/pape/policies/2007/06/multi-factor'
      
  })(req, res);
});

But if i add the additional attribute prompt as login, it prompts the login screen and then MFA. Which is not the behavior i am looking for.


app.use('/auth/2fa', ensureLoggedIn, (req,res) =>{
    console.log ("******In MFA Page******");
    const state = JSON.stringify({ action: 'secure_page', targetURL: '/secure_page' });
    const nonce = crypto.randomBytes(16).toString('hex');
   
    passport.authenticate('oidc', {
      scope: ['openid', 'profile', 'email'],
      state:  state,
      nonce: nonce,
      acr_values: 'http://schemas.openid.net/pape/policies/2007/06/multi-factor',
      prompt: 'login'
  })(req, res);
});
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,921 questions
Microsoft Entra
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Raja Pothuraju 8,095 Reputation points Microsoft Vendor
    2024-10-10T19:02:27.7533333+00:00

    Hello @Pawan Venugopal,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I understand that you are looking for a solution to re-authenticate users using only MFA, without requiring both Password and MFA, for an Azure AD B2C application. You mentioned that you were able to prompt re-authentication by adding the "prompt=login" parameter in your request, even when the user had a valid session with Azure AD B2C. Please correct me if I’m wrong.

    The "prompt=login" parameter forces users to enter their credentials, bypassing single sign-on. However, this revokes both first-factor (password) and second-factor (MFA) sessions with Azure. Currently, it is not possible to achieve re-authentication with only MFA in Azure AD B2C or Microsoft Entra.

    I recommend submitting this feature request on the Microsoft Feedback Portal. It’s an excellent way to highlight the importance of this feature for your organization. You can provide details on how this change would benefit your use case, as Microsoft product engineers regularly review feedback there.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.