Add MFA Phone Number to an ID Token Claim

auth0.knowledge3 · September 19, 2024, 2:15pm

Overview

This article details how to add the phone number (including the country code) of a Multi-Factor Authentication (MFA) enrollment to an ID token claim.

Applies To

Multifactor Authentication (MFA)
SMS-based MFA

Solution

Follow these steps to retrieve MFA enrollment information and add it to the ID token:

Disable phone number obfuscation

First, disable phone number obfuscation by patching the tenant flags using the management API:

PATCH https://<domain>/api/v2/tenants/settings
Content-Type: application/json
Authorization: Bearer <management API token>

{
"flags": {
 "disable_management_api_sms_obfuscation": true
}
}

This setting allows SMS phone numbers to be visible in the management API response.

Create an action

Create a post-login action to retrieve the phone number via the management API and add it to the ID token claim.

Here is an example:

const axios = require('axios');

exports.onExecutePostLogin = async (event, api) => {
    try {
        const response = await axios.get(
          `https://[YOUR_TENANT_DOMAIN]/api/v2/users/${event.user.user_id}/authentication-methods`,
            {
                headers: {
                    Authorization: "Bearer {Your Management API Token}"
                }
            }
        );

        const smsEnrollment = response.data.find(
            enrollment => enrollment.type === 'phone' && enrollment.confirmed
        )

        console.log(smsEnrollment);

        if (smsEnrollment && smsEnrollment.phone_number) {
            api.idToken.setCustomClaim('phone_number', smsEnrollment.phone_number);
        }
    } catch (error) {
        console.log('Error retrieving enrollment:', error);
    }
};

Configure secrets

Add the following secrets to the action:
- AUTH0_DOMAIN: The Auth0 domain name
- MANAGEMENT_API_TOKEN: A Management API access token with the necessary permissions
NOTE: The management API token must have the scope read:users.

Also, since the secret value is limited to 2048 bytes, create a separate machine-to-machine application specifically for the action and grant only the read:users scope to minimize the size of the access token.
Retrieve the phone number from the ID token

The phone number (including country code) will now be available in the ID token as a custom claim named phone_number.

Topic		Replies	Views
How to Get Country Code and Phone Number During MFA Enrollment Knowledge Articles guardian , mfa , connections , rule , extensibility , mfa-enablement	1	3290	June 17, 2022
Add Guardian phone number to idToken Get Help auth0 , guardian , mfa-sms , phone	2	4951	March 16, 2021
Multi factor authentication enrollment without prompting user for phone number? Get Help mfa , login , mfa-sms	10	8119	September 10, 2020
Verify SMS as Part of Registration via Management API Get Help mfa , mfa-api	0	412	February 1, 2024
Enrolling multiple factors/authentication methods or changing a user's MFA Knowledge Articles api , mfa-sms , enroll , phone-number , multiple-factors	1	2403	May 17, 2023

Add MFA Phone Number to an ID Token Claim

Overview

Applies To

Solution

Related topics