Native auth: SMS OTP MFA/JIT implementation, Fixes AB#3313635

changelog

@@ -3,6 +3,8 @@ MSAL Wiki : https://github.com/AzureAD/microsoft-authentication-library-for-andr
 vNext
 ----------
 - [MAJOR] Update proguard rules (#2372)
+- [MINOR] SDK now handles SMS as strong authentication method (#2382)
+- [MINOR] Awaiting MFA Delegate now automatically returns the AuthMethods to be used when calling MFA Challenge (#2380)
 
 Version 7.1.0
 ----------

msal/src/main/java/com/microsoft/identity/nativeauth/AuthMethod.kt

@@ -26,8 +26,6 @@ import android.os.Parcel
 import android.os.Parcelable
 import com.microsoft.identity.common.java.nativeauth.providers.responses.signin.AuthenticationMethodApiResult
 import com.microsoft.identity.common.java.nativeauth.util.ILoggable
-import com.microsoft.identity.nativeauth.statemachine.states.AwaitingMFAState
-import com.microsoft.identity.nativeauth.utils.serializable
 
 /**
  * AuthMethod represents a user's authentication methods.
@@ -40,9 +38,9 @@ data class AuthMethod(
     val challengeType: String,
 
     // Auth method login hint (e.g. [email protected])
-    val loginHint: String,
+    val loginHint: String?,
 
-    // Auth method challenge channel (email, etc.)
+    // Auth method challenge channel (email, sms, etc.)
     val challengeChannel: String,
 ) : ILoggable, Parcelable {
     override fun toUnsanitizedString(): String = "AuthMethod(id=$id, " +

msal/src/main/java/com/microsoft/identity/nativeauth/NativeAuthPublicClientApplication.kt

@@ -682,6 +682,7 @@ class NativeAuthPublicClientApplication(
                                 nextState = SignInCodeRequiredState(
                                     continuationToken = result.continuationToken,
                                     correlationId = result.correlationId,
+                                    username = username,
                                     scopes = scopes,
                                     config = nativeAuthConfig,
                                     claimsRequestJson = params.claimsRequestJson
@@ -719,6 +720,7 @@ class NativeAuthPublicClientApplication(
                                     nextState = SignInPasswordRequiredState(
                                         continuationToken = result.continuationToken,
                                         correlationId = result.correlationId,
+                                        username = username,
                                         scopes = scopes,
                                         config = nativeAuthConfig,
                                         claimsRequestJson = params.claimsRequestJson

msal/src/main/java/com/microsoft/identity/nativeauth/parameters/NativeAuthChallengeAuthMethodParameters.kt

@@ -32,11 +32,10 @@ class NativeAuthChallengeAuthMethodParameters(
     /**
      * authentication method to challenge
      */
-    val authMethod: AuthMethod
-) {
+    val authMethod: AuthMethod,
 
     /**
-     * email to contact to register a new strong authentication method
+     * email or phone number to contact to register a new strong authentication method
      */
-    var verificationContact: String? = null
-}
+    var verificationContact: String
+)

msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/errors/Error.kt

@@ -23,23 +23,14 @@
 
 package com.microsoft.identity.nativeauth.statemachine.errors
 
-import com.microsoft.identity.nativeauth.statemachine.results.GetAccessTokenResult
 import com.microsoft.identity.nativeauth.statemachine.results.GetAccountResult
 import com.microsoft.identity.nativeauth.statemachine.results.ResetPasswordResendCodeResult
-import com.microsoft.identity.nativeauth.statemachine.results.ResetPasswordResult
-import com.microsoft.identity.nativeauth.statemachine.results.ResetPasswordStartResult
 import com.microsoft.identity.nativeauth.statemachine.results.ResetPasswordSubmitCodeResult
-import com.microsoft.identity.nativeauth.statemachine.results.ResetPasswordSubmitPasswordResult
 import com.microsoft.identity.nativeauth.statemachine.results.SignInResendCodeResult
-import com.microsoft.identity.nativeauth.statemachine.results.SignInResult
 import com.microsoft.identity.nativeauth.statemachine.results.SignInSubmitCodeResult
-import com.microsoft.identity.nativeauth.statemachine.results.SignInSubmitPasswordResult
 import com.microsoft.identity.nativeauth.statemachine.results.SignOutResult
 import com.microsoft.identity.nativeauth.statemachine.results.SignUpResendCodeResult
-import com.microsoft.identity.nativeauth.statemachine.results.SignUpResult
-import com.microsoft.identity.nativeauth.statemachine.results.SignUpSubmitAttributesResult
 import com.microsoft.identity.nativeauth.statemachine.results.SignUpSubmitCodeResult
-import com.microsoft.identity.nativeauth.statemachine.results.SignUpSubmitPasswordResult
 
 /**
  * ErrorTypes class holds the possible error type values that are shared between the errors
@@ -89,6 +80,12 @@ internal class ErrorTypes {
          */
         const val INVALID_INPUT = "invalid_input"
 
+        /*
+         * The VERIFICATION_CONTACT_BLOCKED value indicates the verification contact provided has been blocked.
+         * Try using another email or phone number, or select an alternative authentication method.
+         */
+        const val VERIFICATION_CONTACT_BLOCKED = "verification_contact_blocked"
+
         /*
          * The INVALID_STATE value indicates a misconfigured or expired state, or an internal error
          * in state transitions. If this occurs, the flow should be restarted.

msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/errors/JITErrors.kt

@@ -13,6 +13,12 @@ class RegisterStrongAuthChallengeError(
 ): BrowserRequiredError, RegisterStrongAuthChallengeResult, Error(errorType = errorType, error = error, errorMessage= errorMessage, correlationId = correlationId, errorCodes = errorCodes, exception = exception)
 {
     fun isInvalidInput(): Boolean = this.errorType == ErrorTypes.INVALID_INPUT
+
+    /*
+     * Returns true if the verification contact provided has been blocked.
+     * Try using another email or phone number, or select an alternative authentication method.
+     */
+    fun isVerificationContactBlocked(): Boolean = this.errorType == ErrorTypes.VERIFICATION_CONTACT_BLOCKED
 }
 
 class RegisterStrongAuthSubmitChallengeError(

msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/results/MFAResult.kt

@@ -37,7 +37,7 @@ interface MFARequiredResult: Result {
      * @param nextState [com.microsoft.identity.nativeauth.statemachine.states.MFARequiredState] the current state of the flow with follow-on methods.
      * @param codeLength the length of the challenge required by the server.
      * @param sentTo the email/phone number the challenge was sent to.
-     * @param channel the channel(email/phone) the challenge was sent through.
+     * @param channel the channel(email/sms) the challenge was sent through.
      */
     class VerificationRequired(
         override val nextState: MFARequiredState,

msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/results/SignInResult.kt

@@ -84,7 +84,7 @@ interface SignInResult : Result {
     class MFARequired(
         override val nextState: AwaitingMFAState,
         val authMethods: List<AuthMethod>
-    ) : Result.SuccessResult(nextState = nextState), SignInResult, SignInSubmitPasswordResult
+    ) : Result.SuccessResult(nextState = nextState), SignInResult, SignInSubmitPasswordResult, SignInSubmitCodeResult
 
     /**
      * StrongAuthMethodRegistration Result, which indicates that a registration of a strong authentication method is required to continue.
@@ -95,7 +95,7 @@ interface SignInResult : Result {
     class StrongAuthMethodRegistrationRequired(
         override val nextState: RegisterStrongAuthState,
         val authMethods: List<AuthMethod>
-    ) : Result.SuccessResult(nextState = nextState), SignInResult, SignInSubmitPasswordResult
+    ) : Result.SuccessResult(nextState = nextState), SignInResult, SignInSubmitPasswordResult, SignInSubmitCodeResult
 }
 
 /**

msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/states/JITStates.kt

@@ -47,16 +47,20 @@ abstract class BaseJITSubmitChallengeState(
             tag,
             "Warning: this API is experimental. It may be changed in the future without notice. Do not use in production applications."
         )
-        // if external developer does not provide a verification contact, we use the login hint
-        val verificationContact: String = parameters.verificationContact.takeIf { !it.isNullOrBlank() } ?: parameters.authMethod.loginHint
-        // Currently, only email is supported for the challengeChannel. Continuation token grant type is used only for "preverified" flow.
-        val challengeChannel = NativeAuthConstants.ChallengeChannel.EMAIL
+        if (parameters.verificationContact.isBlank()) {
+            return RegisterStrongAuthChallengeError(
+                errorType = ErrorTypes.INVALID_INPUT,
+                errorMessage = "Invalid verification contact",
+                correlationId = correlationId
+            )
+        }
+
         val params =
             CommandParametersAdapter.createJITChallengeAuthMethodCommandParameters(
                 config,
                 config.oAuth2TokenCache,
-                verificationContact,
-                challengeChannel,
+                parameters.verificationContact,
+                parameters.authMethod.challengeChannel,
                 parameters.authMethod.challengeType,
                 correlationId,
                 continuationToken,
@@ -108,6 +112,15 @@ abstract class BaseJITSubmitChallengeState(
                         errorCodes = result.errorCodes
                     )
                 }
+                is JITCommandResult.BlockedVerificationContact -> {
+                    RegisterStrongAuthChallengeError(
+                        errorType = ErrorTypes.VERIFICATION_CONTACT_BLOCKED,
+                        error = result.error,
+                        errorMessage = result.errorDescription,
+                        correlationId = result.correlationId,
+                        errorCodes = result.errorCodes
+                    )
+                }
                 is JITCommandResult.VerificationRequired -> {
                     RegisterStrongAuthChallengeResult.VerificationRequired(
                         result = NativeAuthRegisterStrongAuthVerificationRequiredResultParameter(
@@ -134,6 +147,10 @@ abstract class BaseJITSubmitChallengeState(
             }
         }
     }
+
+    private fun isChallengeChannelSMS(challengeChannel: String): Boolean {
+        return challengeChannel.equals(NativeAuthConstants.ChallengeChannel.SMS, ignoreCase = true)
+    }
 }
 
 class RegisterStrongAuthState(

msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/states/SignInStates.kt

@@ -76,6 +76,7 @@ import kotlinx.coroutines.withContext
 class SignInCodeRequiredState internal constructor(
     override val continuationToken: String,
     override val correlationId: String,
+    private val username: String,
     private val scopes: List<String>?,
     private val claimsRequestJson: String?,
     private val config: NativeAuthPublicClientApplicationConfiguration
@@ -85,6 +86,7 @@ class SignInCodeRequiredState internal constructor(
     constructor(parcel: Parcel) : this(
         continuationToken = parcel.readString()  ?: "",
         correlationId = parcel.readString() ?: "UNSET",
+        username = parcel.readString() ?: "",
         scopes = parcel.createStringArrayList(),
         claimsRequestJson = parcel.readString(),
         config = parcel.serializable<NativeAuthPublicClientApplicationConfiguration>() as NativeAuthPublicClientApplicationConfiguration
@@ -201,6 +203,27 @@ class SignInCodeRequiredState internal constructor(
                             exception = result.exception
                         )
                     }
+                    is SignInCommandResult.MFARequired -> {
+                        SignInResult.MFARequired(
+                            nextState = AwaitingMFAState(
+                                continuationToken = result.continuationToken,
+                                correlationId = result.correlationId,
+                                scopes = scopes,
+                                config = config
+                            ),
+                            authMethods = result.authMethods.toListOfAuthMethods()
+                        )
+                    }
+                    is SignInCommandResult.StrongAuthMethodRegistrationRequired -> {
+                        SignInResult.StrongAuthMethodRegistrationRequired(
+                            nextState = RegisterStrongAuthState(
+                                continuationToken = result.continuationToken,
+                                correlationId = result.correlationId,
+                                config = config
+                            ),
+                            authMethods = result.authMethods.toListOfAuthMethods()
+                        )
+                    }
                 }
             } catch (e: Exception) {
                 SubmitCodeError(
@@ -277,6 +300,7 @@ class SignInCodeRequiredState internal constructor(
                             nextState = SignInCodeRequiredState(
                                 continuationToken = result.continuationToken,
                                 correlationId = result.correlationId,
+                                username = username,
                                 scopes = scopes,
                                 config = config,
                                 claimsRequestJson = claimsRequestJson
@@ -358,6 +382,7 @@ class SignInCodeRequiredState internal constructor(
 class SignInPasswordRequiredState(
     override val continuationToken: String,
     override val correlationId: String,
+    private val username: String,
     private val scopes: List<String>?,
     private val claimsRequestJson: String?,
     private val config: NativeAuthPublicClientApplicationConfiguration
@@ -366,6 +391,7 @@ class SignInPasswordRequiredState(
     constructor(parcel: Parcel) : this(
         continuationToken = parcel.readString()  ?: "",
         correlationId = parcel.readString() ?: "UNSET",
+        username = parcel.readString() ?: "",
         scopes = parcel.createStringArrayList(),
         claimsRequestJson = parcel.readString(),
         config = parcel.serializable<NativeAuthPublicClientApplicationConfiguration>() as NativeAuthPublicClientApplicationConfiguration
@@ -720,6 +746,17 @@ class SignInContinuationState(
                             authMethods = result.authMethods.toListOfAuthMethods()
                         )
                     }
+                    is SignInCommandResult.MFARequired -> {
+                        SignInResult.MFARequired(
+                            nextState = AwaitingMFAState(
+                                continuationToken = result.continuationToken,
+                                correlationId = result.correlationId,
+                                scopes = parameters.scopes,
+                                config = config
+                            ),
+                            authMethods = result.authMethods.toListOfAuthMethods()
+                        )
+                    }
                     is INativeAuthCommandResult.Redirect -> {
                         SignInContinuationError(
                             errorType = ErrorTypes.BROWSER_REQUIRED,