Add support for choosing an MFA method in PublicClientApplication

Surry Shomerequested to merge
surry/libhimmelblau:surry/select-mfa-option-support into main

Goals

Per https://github.com/himmelblau-idm/himmelblau/issues/619, add support in libhimmelblau for selecting other available MFA methods. This is to enable MFA in scenarios where the default MFA method is unavailable.

The next step is to integrate and test these changes into himmelblau to verify that something like Entra-based login/sudo on Ubuntu will work with an MFA method other than the default for a user. I am thinking this could be a configuration value in himmelblau, e.g. for certain devices, we will want to default to a different MFA method.

I tested these changes with a branch of himmelblau here: https://github.com/surry/himmelblau/tree/configure-mfa-method

It does accomplish what I was hoping, which is allowing an MFA method to be configured so that is used instead of the default for a user/tenant.

Considerations

  • I ran into some issues since I started by trying to test my changes in Python. It seemed like the Python API was broken due to updates in kanidm_hsm_crypto and other modules, so I tried fixed those build errors.
  • I initially thought I needed to make changes in acquire_token_by_mfa_flow() in PublicClientApplication, so there are changes there to support passing in an MFA method string.
    • These may not be needed any more.
    • After I started testing, I realized initiate_acquire_token_by_mfa_flow() is where the default MFA method was still being decided, so I added initiate_acquire_token_by_mfa_flow_with_method().
  • initiate_acquire_token_by_mfa_flow_with_method() will initiate the authentication with a specific MFA method and pass this through to AuthMethodId in mfa_begin_auth_internal()
  • The C API bindings probably need some updates, I have not tested those.

The new example python script works with an App Registration I created in my tenant with a public client. I have voice calls to my mobile phone set up a an alternate MFA method, and am now able to authenticate with this option and get a token with these changes.

AI Assistance

  • I used Claude Code to generate some of the code in this MR.
    • I am not familiar with Rust so I was using Claude to help make the API changes to support specifying an MFA method and fix the build issues I encountered.
    • I tried to have Claude plan its changes first, which were then reviewed before having it implement them.
Edited by Surry Shome

Merge request reports