Add support for Microsoft V1 provider (only V2 is supported) for MFA

[andremussche]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [X] I have joined the Ory Community Slack.
• [X] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

Our customer wants to extend the use of Office365 SSO with an optional MFA check for special admin functionality. This can be done using the "amr_values" parameter (e.g. "ngcmfa" or "mfa"):

• https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oapx/0fc398ca-88d0-4118-ae60-c3033e396e60

However, this parameter cannot be used with the default Microsoft provider in Kratos because it uses V2 and not V1:

• https://learn.microsoft.com/en-us/answers/questions/953276/is-there-an-option-to-add-an-optional-oidc-claim-a (you will get a Microsoft error if you try to)

Note: the customer doesn't want to include personal accounts so V2 is not mandatory, V1 support should be enough.

When I try to use the Generic provider instead, I get a Kratos error:

• "Unable to initialize OpenID Connect Provider: oidc: issuer did not match the issuer returned by provider, expected "https://login.microsoftonline.com/common/" got "https://sts.windows.net/{tenantid}""

Describe your ideal solution

Also support the V1 endpoints, besides the normal "microsoft" V2 provider.

Note: this includes the same not-so-oidc-compliant dynamic tenant parameter workaround:

• https://github.com/ory/kratos/blob/master/selfservice/strategy/oidc/provider_microsoft.go#L72
• https://github.com/MicrosoftDocs/azure-docs/issues/38427

Also extend the "upstream_parameters" struct with "amr_values" (or pass any parameter):

• https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#upstream-provider-parameters

Workarounds or alternatives

None: generic provider could not be used because of changing tenant issuer

Version

oryd/kratos:v1.0

Additional Context

No response

[vinckr]

Just for my understanding, Microsoft offers two ways to do OIDC sign-in, v1 and v2. And you need the mfa parameter to check for "special admin functionality", and that is not present in the current implementation that uses v2.

Did I get it right? Found this v1/v2 distinction very confusing, do you have materials from MS for this version difference by any chance?

[andremussche]

Yes that's right, only V1 does support de "mfa" parameter and has the "amr" claim in de ID token, but V2 does not:

• https://github.com/MicrosoftDocs/azure-docs/issues/59551
• https://github.com/MicrosoftDocs/azure-docs/issues/62154

This is also stated here in this answer: https://learn.microsoft.com/en-us/answers/questions/953276/is-there-an-option-to-add-an-optional-oidc-claim-a

A little bit confusing is this page (https://learn.microsoft.com/en-us/azure/active-directory/develop/access-token-claims-reference) because the V1 has no JWT access tokens (in my test) but the "amr" is indeed only in V1 ID token ("only present in v1.0 tokens"). Note: V2 has "amr" in the access token (jwt) but not in the id token, and you cannot ask V2 for MFA so it is rather useless.