Native auth: SMS OTP MFA/JIT implementation, Fixes AB#3313635 #2382
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ed. No getAuthMethod methods
…B#3351233 (#2379) This PR updates the SDK to match the latest flow from EC. In this new flow, the developer must always supply an auth Method to the /oauth2/v2.0/challenge endpoint which means once the .mfaRequired error is received from token endpoint, the /oauth2/v2.0/introspect endpoint needs to be called to retrieve the methods which are automatically returned to the external developer. Furthermore, whenever calling the /token endpoint is called with an MFA Email OTP code, the grant type should be mfa_oob Fixes [AB#3351233](https://identitydivision.visualstudio.com/Engineering/_workitems/edit/3351233) MSAL Common PR: AzureAD/microsoft-authentication-library-common-for-android#2760
# Conflicts: # common
# Conflicts: # common # msal/src/main/java/com/microsoft/identity/client/internal/CommandParametersAdapter.java # msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/results/SignInResult.kt # msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/states/MFAStates.kt
github-actions
bot
changed the title
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR implements SMS OTP MFA (Multi-Factor Authentication) and JIT (Just-In-Time) support for native authentication, building on the existing email OTP MFA implementation. The changes make verification contact a mandatory field for SMS authentication methods and update the API to handle SMS-specific authentication flows.
Key changes include:
- Removal of selection-based MFA flows in favor of direct auth method specification
- Addition of SMS channel support with mandatory verification contact validation
- Simplification of MFA state machine by removing getAuthMethods() functionality
- Enhanced JIT states to support both email and SMS verification contacts
Reviewed Changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| msal/src/test/java/com/microsoft/identity/nativeauth/NativeAuthPublicClientApplicationKotlinTest.kt | Removes selection-based MFA tests and updates remaining tests to use direct auth method specification |
| msal/src/test/java/com/microsoft/identity/nativeauth/NativeAuthPublicClientApplicationJavaTest.java | Simplifies MFA test scenarios by removing selection flow and updating to use auth methods from MFARequired result |
| msal/src/test/java/com/microsoft/identity/client/e2e/tests/network/nativeauth/SignInMFATest.kt | Updates e2e tests to use direct auth method specification instead of default challenge requests |
| msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/states/SignInStates.kt | Adds username parameter to state constructors and updates MFA/JIT result creation to include auth methods |
| msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/states/MFAStates.kt | Removes getAuthMethods functionality and makes auth method parameter mandatory for requestChallenge |
| msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/states/JITStates.kt | Adds SMS validation logic and username parameter support for verification contact handling |
| msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/results/SignInResult.kt | Updates MFARequired and StrongAuthMethodRegistrationRequired results to include auth methods list |
| msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/results/MFAResult.kt | Removes SelectionRequired result and getAuthMethods interface |
| msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/errors/MFAErrors.kt | Removes MFAGetAuthMethodsError class |
| msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/errors/JITErrors.kt | Adds verification contact blocked error handling |
| msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/errors/Error.kt | Adds VERIFICATION_CONTACT_BLOCKED error type |
| msal/src/main/java/com/microsoft/identity/nativeauth/parameters/NativeAuthChallengeAuthMethodParameters.kt | Updates documentation to include phone number support |
| msal/src/main/java/com/microsoft/identity/nativeauth/NativeAuthPublicClientApplication.kt | Updates state constructors to include username and auth methods |
| msal/src/main/java/com/microsoft/identity/nativeauth/AuthMethod.kt | Makes loginHint nullable and updates challenge channel documentation |
| msal/src/main/java/com/microsoft/identity/client/internal/CommandParametersAdapter.java | Removes default MFA challenge and getAuthMethods command parameters, consolidates to single auth method challenge |
| common | Updates common library submodule to support SMS OTP functionality |
msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/states/SignInStates.kt
Outdated
Show resolved
Hide resolved
msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/states/SignInStates.kt
Outdated
Show resolved
Hide resolved
msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/states/JITStates.kt
Outdated
Show resolved
Hide resolved
msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/states/JITStates.kt
Outdated
Show resolved
Hide resolved
msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/states/JITStates.kt
Outdated
Show resolved
Hide resolved
msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/states/JITStates.kt
Outdated
Show resolved
Hide resolved
# Conflicts: # common # msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/results/SignInResult.kt
spetrescu84
approved these changes
Sep 24, 2025
andwhysoft
approved these changes
Sep 24, 2025
nilo-ms
added a commit
to AzureAD/microsoft-authentication-library-common-for-android
that referenced
this pull request
Sep 25, 2025
This PR needs to be merged after the email OTP MFA one. This PR contains the changes to support SMS OTP MFA/JIT. Verification contact is now a mandatory field. MSAL PR: AzureAD/microsoft-authentication-library-for-android#2382 Fixes [AB#3313635](https://identitydivision.visualstudio.com/Engineering/_workitems/edit/3313635) --------- Co-authored-by: Mustafa Mizrak <[email protected]>
spetrescu84
approved these changes
Sep 25, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR needs to be merged after the email OTP MFA one.
This PR contains the changes to support SMS OTP MFA/JIT.
Verification contact is now a mandatory field.
MSAL Common PR: AzureAD/microsoft-authentication-library-common-for-android#2766
Fixes AB#3313635