Access token is missing permissions when using MFA

Hello,

I have 2 apps set up and using optional MFA, both with access to the same APIs.
RBAC is enabled.
App #1 is for the UI, this uses Auth Code + PKCE flow.
App #2 is for automated tests, this is using password grant type.

MFA is enforced by adding a role called “MFA” and a custom rule in the auth pipeline that includes google auth MFA when the user has that role.

App 1 all works no worries.
App 2 has an issues when using MFA, where the access token is created, but it is missing the “permissions” block.

To get the access token we do a POST to /oauth/token with the usual password grant type fields:

curl --location --request POST 'https://my-tenancy.au.auth0.com/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={client_id}' \
--data-urlencode 'client_secret={client_secret}' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username={username}' \
--data-urlencode 'password={password}' \
--data-urlencode 'scope=profile openid email' \
--data-urlencode 'audience=https://my-audience'

This responds with a 403 including the mfa token.
I then do the MFA request:

curl --location --request POST 'https://my-tenancy.au.auth0.com/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'mfa_token=Fe26.2*bff76d* ... snip ... -2kyYfc' \
--data-urlencode 'otp=241586' \
--data-urlencode 'grant_type=http://auth0.com/oauth/grant-type/mfa-otp' \
--data-urlencode 'client_id={client_id}' \
--data-urlencode 'client_secret={client_secret}'

This responds with the access token, however it’s missing the permissions

{
  "https://custom::email": "mfa_user@example.org",
  "https://custom::client_ip": "x.x.x.x",
  "https://custom::session_id": "223acdbe-7972-4dd6-8725-d7cdf171d097",
  "https://custom::roles": [
    "Client",
    "MFA Enabled"
  ],
  "https://custom::from_client": "TestApp",
  "https://custom::allow_payments": false,
  "iss": "https://my-tenancy.au.auth0.com/",
  "sub": "auth0|....",
  "aud": [
    "https://my_audience",
    "https://my-tenancy.au.auth0.com/userinfo"
  ],
  "iat": 1597792793,
  "exp": 1597796393,
  "azp": "0GY3WjM1evGWm9ehWd0RW4mtdEFNpP3K",
  "scope": "profile openid email",
  "gty": "password"
}

Here’s a token from the same password grant type without an MFA user

{
  "https://custom::email": "non_mfa_user@example.org",
  "https://custom::client_ip": "x.x.x.x",
  "https://custom::session_id": "439a0f58-728d-43f5-b825-43d696ff0795",
  "https://custom::roles": [
    "Client"
  ],
  "https://custom::from_client": "TestApp",
  "https://custom::allow_payments": false,
  "iss": "https://my-tenancy.au.auth0.com/",
  "sub": "auth0| .... ",
  "aud": [
    "https://my_audience",
    "https://my-tenancy.au.auth0.com/userinfo"
  ],
  "iat": 1597800589,
  "exp": 1597804189,
  "azp": "0GY3WjM1evGWm9ehWd0RW4mtdEFNpP3K",
  "scope": "profile openid email",
  "gty": "password",
  "permissions": [
    "bank:accounts.basic:read",
    "bank:accounts.detail:read",
    "bank:accounts.detail:update",
    "bank:accounts.payments:read",
    "bank:accounts.payments:write",
    "bank:payees:read",
    "bank:products.basic:read",
    "bank:products.detail:read",
    "bank:transactions:read"
  ]
}

Does anyone know how / why this would happen?

Hi! I have exactly the same problem
Did you find any solution for this weird problem?

Hi,
No I didn’t manage to resolve it. We were using MFA on a trial basis so we kind of gave up, but IIRC I did implement PKCE for the tests.

It was very frustrating.

Hope you work it out

@brock.mills issue was on Auth0 side. And now it have been fixed on their side

Thanks for sharing that with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.