Associate MFA factor from own UI: error on factor activation

Hey @thijmen96
It’s admittedly confusing, but the “MFA token” can be obtained in two ways:

  • what’s returned as the mfa token along with the mfa_required error in the resource owner password grant flow
  • the access token you obtain with regular /authorize request, with an audience=https://YOUR_AUTH0_DOMAIN/mfa/ and scopes enroll read:authenticators delete:authenticators

So, essentially, the same token used for enrollment is used to confirm the authenticator.

If you are using custom domains there’s a small gotcha: you can use your custom domain for the /oauth/token for all requests, but the MFA API audience will still need to be https://YOUR_AUTH0.COM_DOMAIN/mfa/.

I just tested the flow and worked on my machine :smiley: (:tm:) If it still doesn’t work for you, show me the actual domain for your request, and the payload of the access token you are trying to use.

2 Likes