Dear OutSystems community,
We have been using this Forge component to integrate Microsoft authentication into our OutSystems applications. However, recently we have been encountering an error message that states:
"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'." The full traceback can be found below.
We are seeking your advice on how to address this issue.
Have any of you encountered this error message before? If so, how did you solve it?
Is there any support currently for multi-factor authentication?
Full traceback:
AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'.Trace ID: 19df8531-8d1f-4ffa-8acd-19b99a5a0e00Correlation ID: 0ca3d66c-60ca-470f-a005-7c13e055ea06Timestamp: 2023-03-14 14:03:55Z at ssMicrosoftLoginConnectorCore.CcLoginMicrosoftOnline.ActionGetToken(HeContext heContext, ICcLoginMicrosoftOnlineCallbacks _callbacks, String inParamgrant_type, String inParamclient_id, String inParamcode, String inParamredirect_uri, String inParamclient_secret, String inParamresource, String inParamscope, STGetTokenResponseStructure& outParamResponse) at ssMicrosoftLoginConnectorCore.Actions.ActionOAuth2_GetAndParseToken(HeContext heContext, String inParamCode, String inParamState, String inParamSession_state, String inParamCallbackURL, STGetTokenResponseStructure& outParamResponse, String& outParamRedirectURL) at ssMicrosoftLoginConnectorCore.Actions.ActionInitializeCallback(HeContext heContext, String inParamError, String inParamErrorDescription, String inParamcode, String inParamstate, String inParamsession_state, String inParamCallbackURL, String& outParamRedirectURL) at ssMicrosoftLoginConnector.RsseSpaceMicrosoftLoginConnectorCore.MssInitializeCallback(HeContext heContext, String inParamError, String inParamErrorDescription, String inParamcode, String inParamstate, String inParamsession_state, String inParamCallbackURL, String& outParamRedirectURL) at ssMicrosoftLoginConnector.Flows.FlowCommonFlow.ScrnCallbackPage.Preparation(HeContext heContext) at ssMicrosoftLoginConnector.Flows.FlowCommonFlow.ScrnCallbackPage.Page_Load(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
Thank you for your time and help.
Best regards,
Ervin
Hi Ervin,
MLC does not need to support MFA itself. It is a login provider where the login proces is delegated to the iDP, in this case, Azure. Azure will handle the login by asking for the username and password and if needed invoke an MFA. Alternative flows like no-password logins are also supported by Azure AD. When this proces is complete a callback will be made to MLC that will contain the user identification of the user that has performed the authentication. This information is then used to login the correct OutSystems user.
If you get this error after the user is already logged in and has been using the application for some time already, then that mean an Admin of Azure AD has decided that MFA is needed to access a certain resource. I can only presume that you access a REST endpoint like Microsoft Graph in your application since this would be a checkpoint for your authorization token. This request will then be bounced with your error because the user has initially authenticated without MFA (which is also noted in the callback payload). The solution for this is rather easy, perform the login proces again for the same user. You can also check the payload yourself to see if the authentication has been performed with an MFA prompt. This is not a capability of the component so you must create it yourself. I will put it on my backlog since it is a nice thing to be ablet to check.
Should this not match your situation then please let us know the exact situation that you have. The solution will likely not be in the MLC component but I'm willing to assist where possible.
Greetings,
Vincent
Hi Vincent,
First of all, thank your for your reply.
I did try your approach, albeit perhaps maybe not the right way. When the exception is caught on the callback preparation, I perform the login process again. However, this leads to the same exception which then causes a redirecting loop and ultimately causes a too many redirect error.
If you have any other ideas or additional feedback, I am eager to hear them.
Thank you in advance and kind regards,
I had this same issue with a client of mine and after much investigation we discovered we needed to be using the v2 endpoints for Azure AD. It is for this reason I created a new forge component which supports the v2 endpoints as well as some other features for Oauth2 token management. Take a look, perhaps this will help you get things working: Azure AD Login Connector - Overview | OutSystems
Hello,
Unfortunately it seems this component seems to only support reactive apps and I am using traditional web.
Thank you for your input!
kind regards,