Native auth: Update Email OTP MFA to Match EC Implementation, Fixes AB#3351233 (#2379)

This PR updates the SDK to match the latest flow from EC.

In this new flow, the developer must always supply an auth Method to the
/oauth2/v2.0/challenge endpoint which means once the .mfaRequired error
is received from token endpoint, the /oauth2/v2.0/introspect endpoint
needs to be called to retrieve the methods which are automatically
returned to the external developer.

Furthermore, whenever calling the /token endpoint is called with an MFA
Email OTP code, the grant type should be mfa_oob

Fixes
[AB#3351233](https://identitydivision.visualstudio.com/Engineering/_workitems/edit/3351233)

MSAL Common PR:
AzureAD/microsoft-authentication-library-common-for-android#2760

Author: nilo-ms

common

@@ -61,9 +61,7 @@
 import com.microsoft.identity.common.java.dto.AccountRecord;
 import com.microsoft.identity.common.java.exception.ClientException;
 import com.microsoft.identity.common.java.nativeauth.authorities.NativeAuthCIAMAuthority;
-import com.microsoft.identity.common.java.nativeauth.commands.parameters.GetAuthMethodsCommandParameters;
-import com.microsoft.identity.common.java.nativeauth.commands.parameters.MFADefaultChallengeCommandParameters;
-import com.microsoft.identity.common.java.nativeauth.commands.parameters.MFASelectedDefaultChallengeCommandParameters;
+import com.microsoft.identity.common.java.nativeauth.commands.parameters.MFAChallengeAuthMethodCommandParameters;
 import com.microsoft.identity.common.java.nativeauth.commands.parameters.MFASubmitChallengeCommandParameters;
 import com.microsoft.identity.common.java.nativeauth.commands.parameters.ResetPasswordResendCodeCommandParameters;
 import com.microsoft.identity.common.java.nativeauth.commands.parameters.ResetPasswordStartCommandParameters;
@@ -778,54 +776,6 @@ public static SignInSubmitPasswordCommandParameters createSignInSubmitPasswordCo
         return commandParameters;
     }
 
-    /**
-     * Creates command parameter for [{@link com.microsoft.identity.common.nativeauth.internal.commands.MFAChallengeCommand}] of Native Auth
-     * @param configuration PCA configuration
-     * @param tokenCache token cache for storing results
-     * @param correlationId correlation ID to use in the API request, taken from the previous request in the flow
-     * @param continuationToken continuation token
-     * @param scopes scopes requested during sign in flow
-     * @return Command parameter object
-     * @throws ClientException
-     */
-    public static MFADefaultChallengeCommandParameters createMFADefaultChallengeCommandParameters(
-            @NonNull final NativeAuthPublicClientApplicationConfiguration configuration,
-            @NonNull final OAuth2TokenCache tokenCache,
-            @NonNull final String continuationToken,
-            @NonNull final String correlationId,
-            final List<String> scopes) throws ClientException {
-
-        final NativeAuthCIAMAuthority authority = ((NativeAuthCIAMAuthority) configuration.getDefaultAuthority());
-
-        final AbstractAuthenticationScheme authenticationScheme = AuthenticationSchemeFactory.createScheme(
-                AndroidPlatformComponentsFactory.createFromContext(configuration.getAppContext()),
-                null
-        );
-
-        final MFADefaultChallengeCommandParameters commandParameters =
-                MFADefaultChallengeCommandParameters.builder()
-                        .platformComponents(AndroidPlatformComponentsFactory.createFromContext(configuration.getAppContext()))
-                        .applicationName(configuration.getAppContext().getPackageName())
-                        .applicationVersion(getPackageVersion(configuration.getAppContext()))
-                        .clientId(configuration.getClientId())
-                        .isSharedDevice(configuration.getIsSharedDevice())
-                        .redirectUri(configuration.getRedirectUri())
-                        .oAuth2TokenCache(tokenCache)
-                        .requiredBrokerProtocolVersion(configuration.getRequiredBrokerProtocolVersion())
-                        .sdkType(SdkType.MSAL)
-                        .sdkVersion(PublicClientApplication.getSdkVersion())
-                        .powerOptCheckEnabled(configuration.isPowerOptCheckForEnabled())
-                        .authority(authority)
-                        .authenticationScheme(authenticationScheme)
-                        .continuationToken(continuationToken)
-                        .scopes(scopes)
-                        .challengeType(configuration.getChallengeTypes())
-                        .correlationId(correlationId)
-                        .build();
-
-        return commandParameters;
-    }
-
     /**
      * Creates command parameter for [{@link com.microsoft.identity.common.nativeauth.internal.commands.MFAChallengeCommand}] of Native Auth
      * @param configuration PCA configuration
@@ -836,7 +786,7 @@ public static MFADefaultChallengeCommandParameters createMFADefaultChallengeComm
      * @return Command parameter object
      * @throws ClientException
      */
-    public static MFASelectedDefaultChallengeCommandParameters createMFASelectedChallengeCommandParameters(
+    public static MFAChallengeAuthMethodCommandParameters createMFAChallengeAuthMethodCommandParameters(
             @NonNull final NativeAuthPublicClientApplicationConfiguration configuration,
             @NonNull final OAuth2TokenCache tokenCache,
             @NonNull final String continuationToken,
@@ -853,8 +803,8 @@ public static MFASelectedDefaultChallengeCommandParameters createMFASelectedChal
 
         final String authMethodId = authMethod.getId();
 
-        final MFASelectedDefaultChallengeCommandParameters commandParameters =
-                MFASelectedDefaultChallengeCommandParameters.builder()
+        final MFAChallengeAuthMethodCommandParameters commandParameters =
+                MFAChallengeAuthMethodCommandParameters.builder()
                         .platformComponents(AndroidPlatformComponentsFactory.createFromContext(configuration.getAppContext()))
                         .applicationName(configuration.getAppContext().getPackageName())
                         .applicationVersion(getPackageVersion(configuration.getAppContext()))
@@ -927,44 +877,6 @@ public static MFASubmitChallengeCommandParameters createMFASubmitChallengeComman
         return commandParameters;
     }
 
-    /**
-     * Creates command parameter for [{@link com.microsoft.identity.common.nativeauth.internal.commands.GetAuthMethodsCommand}] of Native Auth
-     * @param configuration PCA configuration
-     * @param tokenCache token cache for storing results
-     * @param correlationId correlation ID to use in the API request, taken from the previous request in the flow
-     * @param continuationToken Continuation token
-     * @return Command parameter object
-     */
-    public static GetAuthMethodsCommandParameters createGetAuthMethodsCommandParameters(
-            @NonNull final NativeAuthPublicClientApplicationConfiguration configuration,
-            @NonNull final OAuth2TokenCache tokenCache,
-            @NonNull final String continuationToken,
-            @NonNull final String correlationId) {
-
-        final NativeAuthCIAMAuthority authority = ((NativeAuthCIAMAuthority) configuration.getDefaultAuthority());
-
-        final GetAuthMethodsCommandParameters commandParameters =
-                GetAuthMethodsCommandParameters.builder()
-                        .platformComponents(AndroidPlatformComponentsFactory.createFromContext(configuration.getAppContext()))
-                        .applicationName(configuration.getAppContext().getPackageName())
-                        .applicationVersion(getPackageVersion(configuration.getAppContext()))
-                        .clientId(configuration.getClientId())
-                        .isSharedDevice(configuration.getIsSharedDevice())
-                        .redirectUri(configuration.getRedirectUri())
-                        .oAuth2TokenCache(tokenCache)
-                        .requiredBrokerProtocolVersion(configuration.getRequiredBrokerProtocolVersion())
-                        .sdkType(SdkType.MSAL)
-                        .sdkVersion(PublicClientApplication.getSdkVersion())
-                        .powerOptCheckEnabled(configuration.isPowerOptCheckForEnabled())
-                        .authority(authority)
-                        .continuationToken(continuationToken)
-                        .challengeType(configuration.getChallengeTypes())
-                        .correlationId(correlationId)
-                        .build();
-
-        return commandParameters;
-    }
-
     /**
      * Creates command parameter for [ResetPasswordStartCommand] of Native Auth.
      * @param configuration PCA configuration

msal/src/main/java/com/microsoft/identity/client/internal/CommandParametersAdapter.java

@@ -768,7 +768,8 @@ class NativeAuthPublicClientApplication(
                                     correlationId = result.correlationId,
                                     scopes = scopes,
                                     config = nativeAuthConfig
-                                )
+                                ),
+                                authMethods = result.authMethods.toListOfAuthMethods()
                             )
                         }
 

msal/src/main/java/com/microsoft/identity/nativeauth/NativeAuthPublicClientApplication.kt

@@ -1,6 +1,5 @@
 package com.microsoft.identity.nativeauth.statemachine.errors
 
-import com.microsoft.identity.nativeauth.statemachine.results.MFAGetAuthMethodsResult
 import com.microsoft.identity.nativeauth.statemachine.results.MFARequiredResult
 import com.microsoft.identity.nativeauth.statemachine.results.MFASubmitChallengeResult
 
@@ -26,27 +25,6 @@ class MFARequestChallengeError(
     override var exception: Exception? = null
 ): MFARequiredResult, BrowserRequiredError, Error(errorType = errorType, error = error, errorMessage= errorMessage, correlationId = correlationId, errorCodes = errorCodes, exception = exception)
 
-/**
- * MFA get authentication methods error. Use the utility methods of this class
- * to identify and handle the error. This error is produced by
- * [com.microsoft.identity.nativeauth.statemachine.states.MFARequiredState.getAuthMethods]
- * @param errorType the error type value of the error that occurred.
- * @param error the error returned by the authentication server.
- * @param errorMessage the error message returned by the authentication server.
- * @param correlationId a unique identifier for the request that can help in diagnostics.
- * @param errorCodes a list of specific error codes returned by the authentication server.
- * @param exception an internal unexpected exception that happened.
- */
-class MFAGetAuthMethodsError(
-    override val errorType: String? = null,
-    override val error: String? = null,
-    override val errorMessage: String?,
-    override val correlationId: String,
-    override val errorCodes: List<Int>? = null,
-    val subError: String? = null,
-    override var exception: Exception? = null
-): MFAGetAuthMethodsResult, BrowserRequiredError, Error(errorType = errorType, error = error, errorMessage= errorMessage, correlationId = correlationId, errorCodes = errorCodes, exception = exception)
-
 /**
  * MFA submit challenge error. The user should use the utility methods of this class
  * to identify and handle the error. This error is produced by

msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/errors/MFAErrors.kt

@@ -23,7 +23,6 @@
 
 package com.microsoft.identity.nativeauth.statemachine.results
 
-import com.microsoft.identity.nativeauth.AuthMethod
 import com.microsoft.identity.nativeauth.statemachine.states.MFARequiredState
 
 /**
@@ -46,26 +45,8 @@ interface MFARequiredResult: Result {
         val sentTo: String,
         val channel: String,
     ) : MFARequiredResult, Result.SuccessResult(nextState = nextState)
-
-    /**
-     * Selection required result, which indicates that a specific authentication method must be selected, which
-     * the server will send the challenge to (once sendChallenge() is called).
-     *
-     * @param nextState [com.microsoft.identity.nativeauth.statemachine.states.MFARequiredState] the current state of the flow with follow-on methods.
-     * @param authMethods the authentication methods that can be used to complete the challenge flow.
-     */
-    class SelectionRequired(
-        override val nextState: MFARequiredState,
-        val authMethods: List<AuthMethod>
-    ) : MFARequiredResult, MFAGetAuthMethodsResult, Result.SuccessResult(nextState = nextState)
 }
 
-/**
- * Results related to get authentication methods operation, produced by
- * [com.microsoft.identity.nativeauth.statemachine.states.MFARequiredState.getAuthMethods]
- */
-interface MFAGetAuthMethodsResult : Result
-
 /**
  * Results related to MFA submit challenge operation, produced by
  * [com.microsoft.identity.nativeauth.statemachine.states.MFARequiredState.submitChallenge]

msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/results/MFAResult.kt

@@ -82,8 +82,9 @@ interface SignInResult : Result {
      * @param nextState [com.microsoft.identity.nativeauth.statemachine.states.AwaitingMFAState] the current state of the flow with follow-on methods.
      */
     class MFARequired(
-        override val nextState: AwaitingMFAState
-    ) : SignInResult, Result.SuccessResult(nextState = nextState), SignInSubmitPasswordResult
+        override val nextState: AwaitingMFAState,
+        val authMethods: List<AuthMethod>
+    ) : Result.SuccessResult(nextState = nextState), SignInResult, SignInSubmitPasswordResult
 
     /**
      * StrongAuthMethodRegistration Result, which indicates that a registration of a strong authentication method is required to continue.
@@ -94,7 +95,7 @@ interface SignInResult : Result {
     class StrongAuthMethodRegistrationRequired(
         override val nextState: RegisterStrongAuthState,
         val authMethods: List<AuthMethod>
-    ) : SignInResult, SignInSubmitPasswordResult, Result.SuccessResult(nextState = nextState)
+    ) : Result.SuccessResult(nextState = nextState), SignInResult, SignInSubmitPasswordResult
 }
 
 /**