Silent Login with MFA

pascal.ouellet · May 21, 2019, 3:51pm

@jburdette, have a look at this rule:

auth0/rules/blob/master/src/rules/require-mfa-once-per-session.js

/**
 *
 * This rule can be used to avoid prompting a user for multifactor authentication if they have successfully completed MFA in their current session.
 *
 * This is particularly useful when performing silent authentication (`prompt=none`) to renew short-lived access tokens in a SPA (Single Page Application) during the duration of a user's session without having to rely on setting `allowRememberBrowser` to `true`.
 *
 * @title Require MFA once per session
 * @overview Require multifactor authentication only once per session
 * @gallery true
 * @category multifactor
 */

function requireMfaOncePerSession(user, context, callback) {
  let authMethods = [];
  if (context.authentication && Array.isArray(context.authentication.methods)) {
    authMethods = context.authentication.methods;
  }

  const completedMfa = !!authMethods.find((method) => method.name === 'mfa');

This file has been truncated. show original

If the user has an active session for which they completed an MFA challenge, the context.authentication.methods will contain an entry with a name == 'mfa'. Based on this you can skip the callback.

Topic		Replies	Views
Silent Auth Fails due to MFA switched on Help mfa , silent-auth	8	7234	March 2, 2018
Propagating an Auth0 login on one application to multiple applications Help authentication-api , jwt , auth0 , api , login	5	3858	October 14, 2020
Issue with MFA "Remember this device for 30 days" Option and Silent Auth Failures Help mfa , one-time-password-otp-factor	0	500	March 5, 2024
Auth0 SPA silent auth failing due to SMS MFA Help login-experience , new-universal-login-experience	2	144	July 3, 2024
Silent auth failed during signup due to "Multifactor Authentication Required" Error Help login-experience , new-universal-login-experience	1	320	April 24, 2024

Silent Login with MFA

Related Topics