Native auth: Update Email OTP MFA to Match EC Implementation, Fixes AB#3351233 #2380
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…B#3351233 (#2379) This PR updates the SDK to match the latest flow from EC. In this new flow, the developer must always supply an auth Method to the /oauth2/v2.0/challenge endpoint which means once the .mfaRequired error is received from token endpoint, the /oauth2/v2.0/introspect endpoint needs to be called to retrieve the methods which are automatically returned to the external developer. Furthermore, whenever calling the /token endpoint is called with an MFA Email OTP code, the grant type should be mfa_oob Fixes [AB#3351233](https://identitydivision.visualstudio.com/Engineering/_workitems/edit/3351233) MSAL Common PR: AzureAD/microsoft-authentication-library-common-for-android#2760
# Conflicts: # common
github-actions
bot
changed the title
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR updates the Native Auth MFA flow to align with the latest EC implementation. The key change requires developers to always supply an auth method when calling the challenge endpoint, eliminating the previous pattern of calling challenge without parameters and then using getAuthMethods().
- Removes the intermediate
getAuthMethods()API call flow that was previously used in MFA scenarios - Updates all MFA requestChallenge calls to require an AuthMethod parameter instead of being optional
- Simplifies test scenarios by directly using auth methods returned from the MFA required state
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| NativeAuthPublicClientApplicationKotlinTest.kt | Removes complex multi-step MFA test scenarios and updates remaining tests to use auth methods from MFA result |
| NativeAuthPublicClientApplicationJavaTest.java | Consolidates MFA test scenarios and removes getAuthMethods callback implementation |
| SignInMFATest.kt | Simplifies E2E MFA tests by removing getAuthMethods flow and unused imports |
| SignInStates.kt | Adds authMethods to MFARequired result construction |
| MFAStates.kt | Removes getAuthMethods API and makes authMethod parameter required for requestChallenge |
| SignInResult.kt | Adds authMethods property to MFARequired result class |
| MFAResult.kt | Removes SelectionRequired result and MFAGetAuthMethodsResult interface |
| MFAErrors.kt | Removes MFAGetAuthMethodsError class |
| NativeAuthPublicClientApplication.kt | Adds authMethods to MFARequired result construction |
| CommandParametersAdapter.java | Removes getAuthMethods and default challenge command parameters, renames selected challenge parameters |
| common | Updates submodule reference for MSAL Common changes |
...c/test/java/com/microsoft/identity/nativeauth/NativeAuthPublicClientApplicationKotlinTest.kt
Show resolved
Hide resolved
msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/states/MFAStates.kt
Show resolved
Hide resolved
msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/states/MFAStates.kt
Show resolved
Hide resolved
msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/states/MFAStates.kt
Show resolved
Hide resolved
msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/states/MFAStates.kt
Show resolved
Hide resolved
msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/results/SignInResult.kt
Show resolved
Hide resolved
mustafamizrak
approved these changes
Sep 18, 2025
spetrescu84
approved these changes
Sep 18, 2025
andwhysoft
approved these changes
Sep 22, 2025
nilo-ms
added a commit
to AzureAD/microsoft-authentication-library-common-for-android
that referenced
this pull request
Sep 23, 2025
…33 (#2764) This PR updates the SDK to match the latest flow from EC. In this new flow, the developer must always supply an auth Method to the /oauth2/v2.0/challenge endpoint which means once the .mfaRequired error is received from token endpoint, the /oauth2/v2.0/introspect endpoint needs to be called to retrieve the methods which are automatically returned to the external developer. Furthermore, whenever calling the /token endpoint is called with an MFA Email OTP code, the grant type should be mfa_oob Fixes [AB#3351233](https://identitydivision.visualstudio.com/Engineering/_workitems/edit/3351233) MSAL PR: AzureAD/microsoft-authentication-library-for-android#2380 --------- Co-authored-by: Mustafa Mizrak <[email protected]>
spetrescu84
approved these changes
Sep 24, 2025
mustafamizrak
approved these changes
Sep 24, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates the SDK to match the latest flow from EC.
In this new flow, the developer must always supply an auth Method to the /oauth2/v2.0/challenge endpoint which means once the .mfaRequired error is received from token endpoint, the /oauth2/v2.0/introspect endpoint needs to be called to retrieve the methods which are automatically returned to the external developer.
Furthermore, whenever calling the /token endpoint is called with an MFA Email OTP code, the grant type should be mfa_oob
Fixes AB#3351233
MSAL Common PR: AzureAD/microsoft-authentication-library-common-for-android#2764