3
votes

I have an app that is authenticating to the MS Graph in an Azure AD tenant and I'm using MSAL to call acquireTokenSilent. Sometimes my app receives a JWT access token with the amr field containing mfa, specifically:

amr: [
  "pwd",
  "rsa",
  "mfa"
 ]

which results in a successful OBO token exchange.

A couple of times my app has received a JWT access token with the amr field containing wia:

amr: [
  "wia"
 ]

and attempts to exchange this token for OBO token fail.

I haven't made any code changes in the authentication code in my app. What causes the difference in acquireTokenSilent behavior?

Thanks!

Edit

The app is an SPA written in TypeScript with ReactJS. We require the user to login with AAD before loading any of the content and the app calls loginRedirect to our tenant authority in the componentDidMount React method to achieve this.

When the user initiates a call to an authorized source (a middle-tier service we wrote), the app calls acquireTokenSilent to get a token with scopes for the middle-tier service's configure API. It then makes a call to our middle-tier service and sends the token in the header with the Bearer prefix. That service exchanges the token for an OBO token.

We have an AAD app registration in the Azure portal that has delegated API permissions to the AAD Graph User.Read and to our middle-tier service's configure API.

The middle-tier service receives the token (that we got from the app's acquireTokenSilent call) and exchanges it for an OBO token, requesting permission for several scopes for the MS Graph and requested_token_use=on_behalf_of.

When the JWT access token received from acquireTokenSilent has the amr field containing wia, the token exchange on the middle-tier service gets an error about a conditional access claims challenge requiring MFA.

1

1 Answers

3
votes

amr is the Authentication Methods Reference claim in the JWT. pwd refers to password authentication, by the service (using a client secret) or user and wia is Windows integrated auth.

Would need to know more about your set-up, like what platform are you using, what is your overall scenario, and how are you setting up the client application and making the acquire token calls, in order to determine the difference you are seeing between the calls.

You can checkout this .NET sample on OBO and find more info here on MSAL.NET and OBO. More info on OBO flow.