Associate MFA factor from own UI: error on factor activation

nicolas_sabena · July 7, 2020, 3:27am

Hey @thijmen96
It’s admittedly confusing, but the “MFA token” can be obtained in two ways:

what’s returned as the mfa token along with the mfa_required error in the resource owner password grant flow
the access token you obtain with regular /authorize request, with an audience=https://YOUR_AUTH0_DOMAIN/mfa/ and scopes enroll read:authenticators delete:authenticators

So, essentially, the same token used for enrollment is used to confirm the authenticator.

If you are using custom domains there’s a small gotcha: you can use your custom domain for the /oauth/token for all requests, but the MFA API audience will still need to be https://YOUR_AUTH0.COM_DOMAIN/mfa/.

I just tested the flow and worked on my machine () If it still doesn’t work for you, show me the actual domain for your request, and the payload of the access token you are trying to use.

Topic		Replies	Views
How to get MFA API Access Tokens? Get Help mfa , mfa-api	3	5842	February 28, 2023
OTP Setup via API needs mfa_token Get Help mfa	3	3535	July 27, 2019
MFA association keeps failing Get Help authentication-api , auth0 , api , mfa , login	3	5083	May 23, 2019
{"error"=>"access_denied", "error_description"=>"User is already enrolled."} Get Help	6	4766	January 31, 2020
Automate device enrolment process for testing Get Help auth0 , mfa	6	4549	February 2, 2019

Associate MFA factor from own UI: error on factor activation

Related topics