0

I am preparing work for an Azure AD B2C solution that will support logging in using social identity providers like Apple, Google and Microsoft. My client wants to enforce users to login using multi-factor authentication (MFA) in Azure AD B2C, but only if they haven’t already done so using the social identity provider.

Is there a way in Azure AD B2C to determine if a user has already authenticated using MFA? It would be nice if there is some sort of MFA claim in the token that indicates this, but I am not sure if this is standard. Requesting the user to do MFA twice is not very user friendly.

I found an older question indicating that Google does not share this information: Google OAuth2 API. Check user has two factor authentication (Not GSuite)

But that question has been asked six years ago. I hope by now there is some progress in the OAuth2/OIDC standardization in sharing this kind of information.

wbosland
  • 58
  • 5

1 Answers1

1

In terms of standards, there's the optional amr claim. From the OpenID Connect spec:

OPTIONAL. Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the amr Claim is beyond the scope of this specification. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The amr value is an array of case sensitive strings.

There's a similar recommendation in the JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens spec.

The real answer though is that it depends on the identity provider. Each could - quite legitimately - return that information in their own custom claim(s), use their own values for the amr claim, or just not return the information at all.

Dave D
  • 8,472
  • 4
  • 33
  • 45