Using native authentication in Entra External ID to sign up a user with email and OTP
First, read this post, as it covers a lot of the basics.
The documentation is here.
You can use Graph API to sign-up as well but this way allows you to totally craft the UI.
Essentially, you use the API to signup a user. You specify:
- an email address
- maybe provide a screen for the user to enter some attributes, e.g. given name, first name, surname, etc.
- then, an OTP is sent to the email address, and you need to provide a way to enter it
- you send the OTP back to the API to verify
- you get a token
- the user is created in Entra External ID
You are free to do this on one page or use multiple pages or whatever.
As before, we will use Postman.
Note that each step gives a new continuation token that you have to copy to the next step.
Step 1
The URL is:
https://tenant.ciamlogin.com/tenant.onmicrosoft.com/signup/v1.0/start
with the form containing:
client_id=c7...18
&challenge_type=oob redirect
&attributes={"displayName": "Tom Gmail", "givenName": "Tom", "surname": "Gmail"}
&username=tom@gmail.com
&password=some secure password
Note: There are different options in the flow. You can provide all the information up front, as in this example, or you can provide e.g. password later.
Note: tom@gmail.com is a fictitious user.
For the attributes, you need to use the schema names, e.g. display name is called displayName. You use JSON format.
If you want to see the attribute names, you could use this utility.
The following is returned:
{
"continuation_token": "AQA...gAA"
}
Step 2
The URL is:
https://tenant.ciamlogin.com/tenant.onmicrosoft.com/signup/v1.0/challenge
with the form containing:
client_id=c7...18
&challenge_type=oob password redirect
&continuation_token=AQA...gAA
The following is returned:
{
"interval": 300,
"continuation_token": "AQA...gAA",
"challenge_type": "oob",
"binding_method": "prompt",
"challenge_channel": "email",
"challenge_target_label": "xxx@g*******m",
"code_length": 8
}
You should get this email sent to the address you specified above:
Step 3
The URL is:
https://tenant.ciamlogin.com/tenant.onmicrosoft.com/signup/v1.0/continue
with the form containing:
continuation_token=AQA...gts
&client_id=c7...18
&grant_type=oob
&oob=41219074
The following is returned:
{
"continuation_token": "BXq...XA$$"
}
As per the docs., the sign-up flow then depends on the scenarios as shown in the table:
The flow above describes the first scenario, as we have already submitted the password and attributes.
The next step is to request a token.
Step 4
The URL is:
https://tenant.ciamlogin.com/tenant.onmicrosoft.com/oauth2/v2.0/token
with the form containing:
continuation_token=BXq...
&client_id=c7...18
&username=tom@gmail.com
&grant_type=continuation_token
&scope=openid offline_access
The following is returned:
{
"token_type": "Bearer",
"scope": "openid profile email 00000003-0000-0000-c000-000000000000/User.Read",
"expires_in": 3749,
"ext_expires_in": 3749,
"access_token": "eyJ...Qfw",
"refresh_token": "0.A...mYY",
"id_token": "eyJ...kxg"
}
where the id_token looks like:
{
"aud": "c7...8",
"iss": "https://tenant.ciamlogin.com/tenant/v2.0",
"iat": 1712626315,
"nbf": 1712626315,
"exp": 1712630215,
"rh": "0.A...Nk.",
"sub": "qH0...ccw",
"tid": "7f...bb",
"uti": "at0...CAA",
"ver": "2.0"
}
The user is created in Entra External ID:
Notice that the “User type” is “Member” not “Guest”.
Not sure why it’s “unknown” since I did supply a displayName in the attributes?
All good!