Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RedeemCode sends request from server #530

Open
mdevarajuelite opened this issue Apr 2, 2024 · 2 comments
Open

RedeemCode sends request from server #530

mdevarajuelite opened this issue Apr 2, 2024 · 2 comments

Comments

@mdevarajuelite
Copy link

We are using Microsoft.Owin.Security.OpenIdConnect in the Asp.NET Framework Webapp for AuthCode Flow authentication.

The initial authorization code request call to the Identity provider(EntraID) is originated from the user browser, but while redeeming the code for access_token the request is originated from the server. This triggers MFA because client has Conditional access policies configured on the Entra ID tenant and the auth request is triggered from Azure App Service server/host which is not in white listed IP on clients Entra ID.

Is this expected? Is there a design/config option to trigger the access_token request from client browser instead of the web app server?

@Tratcher
Copy link
Member

Tratcher commented Apr 2, 2024

It's standard protocol in the OIDC code flow for the server to do the access_token request. I don't know why that would trigger any extra checks.

If you want to do everything client side then don't use the code flow. Instead have the client authenticate with the id provider via Javascript and request a bearer token, and then use jwtbearer auth on the server to validate it.

@mdevarajuelite
Copy link
Author

mdevarajuelite commented Apr 2, 2024

Thanks for confirming. Before moving the authentication to the client side we wanted to see if there are any ways to fix this as it looked like a common scenario.

The client has setup conditional access policy on their EntraID for security purposes, and the server IP is not part of their trusted IPs so the MFA is triggered during the non-interactive sign-in(token request). This issue is not for a single client, but multiple clients are complaining the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants