Open in app

Sign in

Write

Sign in

Limitations ADB2C ROPC Flow

Muhammad Imran
1 min readOct 25, 2022

--

The following flows are not supported:

· Server-to-server: The identity protection system needs a reliable IP address gathered from the caller (the native client) as part of the interaction. In a server-side API call, only the server’s IP address is used. If a dynamic threshold of failed authentications is exceeded, the identity protection system may identify a repeated IP address as an attacker.

· Confidential client flow: The application client ID is validated, but the application secret is not validated.

When using the ROPC flow, consider the following:

· ROPC doesn’t work when there is any interruption to the authentication flow that needs user interaction. For example, when a password has expired or needs to be changed, multi-factor authentication is required, or when more information needs to be collected during sign-in (for example, user consent).

· ROPC supports local accounts only. Users can’t sign in with federated identity providers like Microsoft, Google+, Twitter, AD-FS, or Facebook.

· Session Management, including keep me signed-in (KMSI), is not applicable.

Azure
Cloud Computing
Azure Active Directory
Cloud
Development

--

--

Muhammad Imran
Muhammad Imran

Written by Muhammad Imran

107 Followers
44 Following

Azure Solution Architect Expert | Microsoft Certified Trainer | AWS Community Builder | Author

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams