Access denied on OOB SMS association

Hi,

Currently following the documentation shown here: https://auth0.com/docs/multifactor-authentication/api/oob#3-confirm-the-authenticator-association

Getting generic 401 access error, i.e. {“error”:“access_denied”,“error_description”:“Unauthorized”} no matter what payload is submitted with OOB SMS. Have been unable to figure out a solution here.

curl --request POST
–url MY_AUTH0_URL
–header ‘authorization: Bearer ACCESS_TOKEN’
–header ‘content-type: application/x-www-form-urlencoded’
–data grant_type=http://auth0.com/oauth/grant-type/mfa-oob
–data 'client_id=MY_CLIENT_ID
–data mfa_token=YOUR_MFA_TOKEN
–data oob_code=ata…i0i
–data binding_code=000000

  1. What’s the recommended way to debug this? Not able to get feedback from the API response to determine what part of the payload is incorrect.
  2. Given the user has not authenticated yet, is the access token above the same as the mfa token in this case?
  3. Binding code should be from the SMS correct (and not 000)? Might be obvious, but not explicit in the documentation on the above page.
  4. Could there be something missing from the app console config aside from enabling the SMS OOB provider?

Appreciate any insight, thanks -

1 Like

What does your app has configured as Token Endpoint Authentication Method? If it’s set to “Post” or “Basic Auth”, you’ll have to provide the client secret as well.

Currently set to ‘None’. Request was tried with the client_secret previously as well, same result.

Unauthorized from the /oauth/token endpoint means that the client (the application) is failing to authenticate, that’s why I was referring to the client_secret (and, obviously, to the client_id, make sure that one is correct as well).

Given the user has not authenticated yet, is the access token above the same as the mfa token in this case?

That is correct. Although I tried the request without the header and the association worked as well.

Binding code should be from the SMS correct (and not 000)? Might be obvious, but not explicit in the documentation on the above page.

Yep, “binding code” is the code you receive in SMS.

I’ve gotten the response to showan error for missing grant type,

So the application type I’m currently using is Single Page application (SPA), which I am using a backend to proxy the request with the client_secret. Does this need type to be converted to use MFA?

I can’t add a token endpoint auth method to add the oob grant type for sms currently.

You should make sure you set the application type correctly and match it with the appropriate token endpoint authentication type:

  • Native and SPA application type should have the token endpoint authentication method set to “None” (because they are “public” clients)
  • Regular web app and M2M should have the token endpoint authentication method set to “Post” (because they can keep the secret secure).

So the application type I’m currently using is Single Page application (SPA), which I am using a backend to proxy the request with the client_secret . Does this need type to be converted to use MFA?

I’m not quite sure I’m following the architecture. If you have a SPA, then it should have the token endpoint auth method set to “None”. If there’s a backend API that needs to talk to Auth0 for whatever reason (e.g. to get tokens to the management API), then it would be a separate application with the token endpoint authentication method set to “Post”.

The SPA can drive the MFA enrollment directly from the client side without requiring a client secret. The SPA can have the MFA grant type enabled for it, ask for a token for the MFA API with the enroll grant and then use the /oauth/token endpoint to confirm the enrollment, without authenticating itself (i.e. without the client secret).

Does that make sense?