Compatibility with Microsoft Entra multifactor authentication external method provider

[nicolaspernoud]

Hello, and thanks for this product !

Is it compatible with "Microsoft Entra multifactor authentication external method provider" (https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-external-method-provider) ? The use case is to delegate the checking of another factor to the Idp, while using Entra Id as main IdP.

For this to work, there would be a few requirements :

• implement the implicit flow, or at least the id_token response type : https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-external-method-provider#microsoft-entra-id-call-to-the-external-identity-provider ;
• parse the id_token_hint provided by entra id : https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-external-method-provider#example-of-an-id_token_hint ;
• provide an id_token that must be an mfa token : https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-external-method-provider#example-of-an-eam-that-satisfies-mfa ;
• be extensible to integrate custom authentication methods.

[anderspitman]

Hi @nicolaspernoud. That's an interesting idea. I'm not familiar with Entra. Just glancing over, this looks fairly complicated and is probably outside the scope of obligator/LastLogin. I'll leave this issue open for now though in case that changes in the future.

If you haven't already, you might want to check out the table in the readme to see if any of those tools have this functionality: https://github.com/lastlogin-net/obligator?tab=readme-ov-file#comparison-is-the-thief-of-joy

[nicolaspernoud]

Thanks for your reply. I did see the table, and thank you for it : I will study those product to work out if one could fit.