Add Guardian phone number to idToken

Context:

  • We’re developing an application where SMS MFA is enforced. (Required in the sign-up flow provided by Auth0)
  • We have a profile page where we want to show the current phone number, and change the phone number
  • We have established that the phone_number field in the profile is only used for passwordless login, and is irrelevant to us
  • We have set the tenant flag to not have the phone numbers masked

We’ve made a rule to try to put the phone number in the idToken, but it doesn’t seem to be available there.

We cannot set the number in the SMS hook, because then the phone number hasn’t been confirmed yet.

How do we get the phone number to show up in the profile?

Hi @waltervandenhouten,

Adding the phone number used during MFA in the ID Token in a rule may not be possible since MFA occurs after rules execute in the auth flow.

After MFA, if you have the disable_management_api_sms_obfuscation flag set to true in your tenant settings (see answer: Getting Users' Phone Numbers - #9 by Saltuk), then you can use the
GET
/api/v2/guardian/enrollments/{id} to get the user’s phone number.

{
  "id": "dev_abc123",
  "status": "confirmed",
  "phone_number": "+1 1234567891",
  "type": "sms",
  "last_auth": "2021-03-10T15:26:14.012Z"
}

Or you could use progressive profiling to ask the user for the phone number on a subsequent login.

Initially we called /mfa/authenticators. It is surprising to me that a user cannot see their phone number through that, or that it is not available during the login process to add to the profile, but OK.

When then figured that the disable_management_api_sms_obfuscation flag only applies to the management API. Then we discovered calling /api/v2/users/{id} does not provide any of the enrollments.

This would mean we have to first query the user’s enrollments through the Authentication API, and then make another call to the management API for the specific enrollment that is the active SMS enrollment.

That’s a huge hurdle for something that should be very trivial. Is there an easier route?

We’re currently considering to disable forced MFA, ask the user for the phone number after first login. (Blocking the user from doing any other actions, including putting a policy on all API endpoints to check for having an approved phone number, and also storing the phone number in a separate database that we manage ourselves.)

There has to be an easier way, right?