fix(portal-bff): drop strict amr check — flow blocked when Entra omits the claim #108
Reference in New Issue
Block a user
Delete Branch "fix/portal-bff/auth-relax-amr-check"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Bug
After a real sign-in against the Entra tenant, the callback rejected the flow with:
The user landed on the SPA with
?auth_error=amr-missinginstead of authenticated. Every dev sign-in is blocked.Root cause
PR #107's
amr-missingguard misread ADR-0011's intent.amris an optional claim in Entra ID tokens: it's populated for fresh interactive sign-ins where Conditional Access asked for an MFA method, and frequently absent for SSO / refresh flows or in tenants where no CA policy is configured on the app registration. Rejecting tokens on emptyamrblocks every legitimate sign-in against such a tenant.ADR-0011 actually specifies:
@RequireMfa({ freshness: 600 })decorator (designed-in, no v1 consumer) is what guards sensitive routes.amrthrough the audit log and the future guard, not as a callback precondition.Fix
auth.errors.ts: drop theamr-missingvariant from theAuthCodeFlowErrordiscriminator. Three failure modes left:state-mismatch,flow-expired,token-exchange-failed. MSAL's ID-token validation (signature, issuer, audience, exp, nbf) is the real gate at this stage.auth.service.ts:toAuthenticatedUserkeeps extractingamrand passing it through (as a possibly-empty string array) so the structured log line and the future@RequireMfaguard still see it. The strictif (amr.length === 0) throwis replaced by a comment explaining the new shape.auth.service.spec.ts: the'throws amr-missing'test becomes'returns the user even when the ID token has no amr claim'— asserts the array passes through empty rather than blocking the flow.Verification
nx run-many -t lint test build --projects=portal-bff— green. 52/52 specs.auth.signed_inlog shows the resolved identity withamr(often[]until CA is configured on the org side).