Hi all,
Scenario: I have a SPA application connected with Auth0 and Okta acting as an IDP.
Context: I am trying to leverage a Login Action to check the acr value to inform Auth0 if 2fa has already been performed upstream on the IDP. This will allow me to apply some logic to either allow the user to progress through to the app if the user has previously performed 2fa on a IDP organisation or if not, enforce another event such as a local Auth0 Guardian enrolment.
Action Code:
exports.onExecutePostLogin = async (event, api) => {
// Check if the ACR claim array has values
const acrClaim = event.transaction.acr_values;
if (!acrClaim || acrClaim.length === 0) {
// ACR claim is either not present or has no values, indicating 2FA was not completed upstream.
console.log('ACR claim is not present or has no values, enforcing 2FA');
// Check if the user has already enabled MFA with the "guardian" provider
const enabledMfa = event.user.app_metadata && event.user.app_metadata.guardian;
if (!enabledMfa) {
console.log("MFA not enrolled. Enrolling user.");
// Require the user to enroll in MFA using the Guardian provider.
api.multifactor.enable("guardian");
// Update the user's metadata to represent that they've enabled MFA with the "guardian" provider.
await api.user.setAppMetadata({ guardian: true });
}
} else {
// ACR claim has values, indicating authentication strength was indicated.
console.log('ACR claim has values:', acrClaim);
}
};
Problem: When debugging the code I can validate it picks up the acr value and performs the correct action but when running this against Okta as an IDP as it would during a proper authentication flow, the event.transaction returns no acr values from Okta’s authentication flow which includes 2FA. I have also tested this with Azure acting as an IDP and had the same result.
Any suggestions would be greatly appreciated.
Thanks.