Open mdevarajuelite opened 3 months ago
Tratcher
commented
3 months ago It's standard protocol in the OIDC code flow for the server to do the access_token request. I don't know why that would trigger any extra checks.
If you want to do everything client side then don't use the code flow. Instead have the client authenticate with the id provider via Javascript and request a bearer token, and then use jwtbearer auth on the server to validate it.
mdevarajuelite
commented
3 months ago Thanks for confirming. Before moving the authentication to the client side we wanted to see if there are any ways to fix this as it looked like a common scenario.
The client has setup conditional access policy on their EntraID for security purposes, and the server IP is not part of their trusted IPs so the MFA is triggered during the non-interactive sign-in(token request). This issue is not for a single client, but multiple clients are complaining the same.
We are using Microsoft.Owin.Security.OpenIdConnect in the Asp.NET Framework Webapp for AuthCode Flow authentication.
The initial authorization code request call to the Identity provider(EntraID) is originated from the user browser, but while redeeming the code for access_token the request is originated from the server. This triggers MFA because client has Conditional access policies configured on the Entra ID tenant and the auth request is triggered from Azure App Service server/host which is not in white listed IP on clients Entra ID.
Is this expected? Is there a design/config option to trigger the access_token request from client browser instead of the web app server?