Question

ReValidating the user on some acion

0

Hi team, We got a requirement and I'm looking for fix. My application is integrated with SSO already. So when a user is logging into the application, they are utilizing the SSO feature. Now when the user is approving the certain request, they have to reverify themselves by entering the email adress and password of their own. Steps - 1- User's logs into the application.z 2- Clicks on approves and a popup opens up to enter email id and password. 3- Request the IDP to provide the approval. Note - Requirements also states that - user entering the creditials should be popup and not login form. To achieve this - we are utilising the Microsoft graph feature. The API used to get the access token using the username and password along with client creditials. My team - doubts the get access token api with username and password is risky. Please let me know if anyone had encountered this kind of scenario or know how to achieve this. Thanks in advance

asked 2025-11-13

Jhansi laxmi Mora

1 answers

Gurumoorthy J · Answer 1 · 2025-11-13

Hi Jhansi laxmi Mora

Don't use username+password to get tokens from MS Graph (ROPC).Instead, implement OAuth2 / OIDC Authorization Code flow (with PKCE) in a popup and force a re-authentication/step-up via the authorize endpoint (e.g. prompt=login / OIDC step-up). Validate the returned ID/access token server-side (check oid/sub/email, iat/exp, token signature). If additional assurance is required use Azure Conditional Access (MFA/step-up) or require claims/acr_values.

Force Re-authentication Follow

When user clicks “Approve”, open an OAuth authorize request in a small popup window (not a full login form embedded in your page). Use parameters to force a fresh login / step-up. That causes the IdP to show the login prompt or trigger MFA/conditional access.
After successful authentication, the IdP returns tokens (or a code you exchange) to your app/backend. Validate tokens and confirm the user identity matches the currently logged-in user.

Note:Do the exchange server-side (Mendix microflow / REST call) using the confidential client credentials. This avoids exposing client secret in the browser and allows secure token validation and logging.

I hope this help's you