Clarify Microsoft Entra validation modes for step-up auth

[mindymo]

Summary

• Clarify the two validation modes available for Microsoft Entra step-up authentication
• Make it easier for users to understand when to use OIDC vs ACRS mode

Changes

• Update intro table to explain how each validation mode works technically
• Rename tab titles to include mode names (OIDC/ACRS) for clarity
• Add note explaining ID tokens requirement for OIDC mode
• Update FAQ with clearer guidance on which mode to choose

Related

ductone/c1#13443

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Reorganized step-up authentication guide into consistent step-by-step blocks for all flows
  • Renamed approaches to "validation modes" and updated tab titles and headings accordingly
  • Added configuration fields (validation mode selection, Conditional Access ID, Tenant ID) and notes on ID token requirements and secret rotation
  • Updated user-facing Q&A and troubleshooting to match new modes and flow structure

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR restructures the step-up authentication docs: numbered instructions were converted into structured / blocks, "approaches" were renamed to "validation modes" (OIDC and ACRS), tab titles and headings updated, new mode-specific notes and fields for Microsoft Entra were added, and troubleshooting/FAQ wording was revised.

Changes

Cohort / File(s)	Summary
Documentation product/admin/step-up-auth.mdx	Reflowed procedural content into <Steps>/<Step> blocks; replaced "approaches" with "validation modes" and updated tab titles; added mode-specific notes (e.g., ID token requirement for OIDC), new Entra fields (Validation mode, Conditional Access IDs, Tenant ID), rotated-secret reminders, and revised troubleshooting/FAQ language.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through steps, made headings new,
OIDC and ACRS now clearer in view,
Notes on tokens and tenant IDs too,
Secrets to rotate, and guidance anew,
A doc-bunny's cheer for a tidy review! 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Clarify Microsoft Entra validation modes for step-up auth' directly and clearly summarizes the main change in the PR, which is to clarify the two Microsoft Entra validation modes (OIDC and ACRS) for step-up authentication documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch step-up-auth-validation-modes

---

No actionable comments were generated in the recent review. 🎉

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@product/admin/step-up-auth.mdx`:
- Around line 164-166: Update the Note block that currently ties the "ID token
not found in response" error to the "ID tokens (implicit/hybrid)" setting:
clarify that for the authorization-code flow the ID token is returned by the
/token endpoint only when the openid scope is requested, and that enabling the
implicit/hybrid ID tokens setting is unnecessary for authorization-code flow (it
only affects implicit/hybrid flows); replace the misleading sentence inside the
<Note> with text that states the missing ID token usually means the openid scope
was not requested rather than the implicit/hybrid setting being disabled.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Microsoft Entra ID OIDC authorization code flow ID token response openid scope

💡 Result:

In Microsoft Entra ID (Microsoft identity platform v2.0):

• If you use the authorization code flow (response_type=code), you get only a code from the /authorize endpoint, then you redeem it at the /token endpoint. (learn.microsoft.com)
• The /token response includes an id_token only when you requested the OIDC scope openid (for example: scope=openid profile email ...). (learn.microsoft.com)
• If you want an ID token returned immediately from /authorize (along with the code), you must use the hybrid flow: response_type=code id_token, and include scope=openid ... and a nonce. (learn.microsoft.com)

Citations:

• 1: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow?utm_source=openai
• 2: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow?utm_source=openai
• 3: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow?utm_source=openai

---

🌐 Web query:

Microsoft Entra "ID tokens" implicit hybrid flows required setting

💡 Result:

In Microsoft Entra ID App registrations → Authentication → “Implicit grant and hybrid flows” → “ID tokens”, you only need to enable this if your app requests an ID token from the /authorize endpoint (that is, you use an OAuth/OIDC response_type that includes id_token, such as implicit response_type=id_token or hybrid response_type=code id_token). If it’s not enabled and you request id_token, Entra ID returns an unsupported_response error (often “Expected value is ‘code’”). [1][2][4]

How to enable (two equivalent ways):

• Portal checkbox: App registration → Authentication → under your platform → Implicit grant and hybrid flows → check ID tokens. [1]
• Manifest: set oauth2AllowIdTokenImplicitFlow to true. [1]

Rule of thumb: if you’re using authorization code flow (with PKCE) via MSAL, you typically do not need to enable implicit/hybrid ID tokens; enable it only when you truly need hybrid sign-in (for example, some server-side web apps using hybrid auth). [2][3]

---

🌐 Web query:

Microsoft Entra OIDC token endpoint ID token openid scope authorization code

💡 Result:

In Microsoft Entra ID (Microsoft identity platform v2.0):

• /authorize is where you get the authorization code (and optionally an ID token in hybrid flow). (learn.microsoft.com)
• /token is where you redeem the authorization code to get tokens. The OIDC discovery document lists the tenant-specific token_endpoint. (learn.microsoft.com)

Getting an ID token with the authorization code flow

When you sign in using OIDC, include openid in the scope (optionally profile, email). (learn.microsoft.com)

1) Authorization request (get code)

GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?...

• Use response_type=code for pure auth-code flow.
• If you want an ID token immediately from /authorize, use hybrid: response_type=code id_token and include nonce. (learn.microsoft.com)

2) Token request (redeem code)

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

• grant_type=authorization_code
• code=...
• redirect_uri=...
• client_id=...
• PKCE: code_verifier=... (if used)
• Include OIDC scopes like openid (and optionally profile, email) in the flow so an ID token is issued for sign-in. (learn.microsoft.com)

Key point about where the ID token comes from

• Implicit/hybrid: ID tokens can be returned from /authorize (not /token) when response_type includes id_token. (learn.microsoft.com)
• Auth code flow: you redeem the code at /token to get tokens (and commonly receive an id_token when using OIDC scopes like openid). (learn.microsoft.com)

If you tell me your exact request/response (minus secrets)—especially the response_type you’re using on /authorize and the scope you send—I can pinpoint why you are/aren’t seeing an id_token in the /token response.

Citations:

• 1: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow?utm_source=openai
• 2: https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc?utm_source=openai
• 3: https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc?utm_source=openai
• 4: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow?utm_source=openai
• 5: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow?utm_source=openai
• 6: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-implicit-grant-flow?utm_source=openai
• 7: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow?utm_source=openai

---

Clarify that openid scope, not implicit/hybrid setting, is required for ID token in authorization-code flow.

The current note ties the "ID token not found" error to the "ID tokens (implicit/hybrid)" setting, which is misleading. Microsoft Entra documentation confirms that for authorization-code flow, ID tokens are returned from the /token endpoint when the openid scope is requested—enabling the implicit/hybrid setting is not required for this flow and is only needed for implicit or hybrid flows. The missing ID token typically indicates the openid scope was not requested, not that the implicit/hybrid setting is disabled.

✏️ Suggested rewording

 <Note>
-ID tokens are required for OIDC validation mode. Without this setting, you'll receive an "ID token not found in response" error.
+OIDC mode requires an ID token in the token response. If you see "ID token not found in response," confirm the request includes the `openid` scope and that your chosen flow returns ID tokens (enable implicit/hybrid only if you explicitly use those flows).
 </Note>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<Note>
	ID tokens are required for OIDC validation mode. Without this setting, you'll receive an "ID token not found in response" error.
	</Note>
	<Note>
	OIDC mode requires an ID token in the token response. If you see "ID token not found in response," confirm the request includes the `openid` scope and that your chosen flow returns ID tokens (enable implicit/hybrid only if you explicitly use those flows).
	</Note>

🤖 Prompt for AI Agents

In `@product/admin/step-up-auth.mdx` around lines 164 - 166, Update the Note block
that currently ties the "ID token not found in response" error to the "ID tokens
(implicit/hybrid)" setting: clarify that for the authorization-code flow the ID
token is returned by the /token endpoint only when the openid scope is
requested, and that enabling the implicit/hybrid ID tokens setting is
unnecessary for authorization-code flow (it only affects implicit/hybrid flows);
replace the misleading sentence inside the <Note> with text that states the
missing ID token usually means the openid scope was not requested rather than
the implicit/hybrid setting being disabled.

[mindymo]

Hey @degzhaus I've updated the step-up auth doc based on the changes in https://github.com/ductone/c1/pull/13443. Can you give the changes in this PR and this CodeRabbit flag a quick review and let me know if any changes are made before I publish? Many thanks.

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!