Auth0 authentication api mfa problems

Hey there, thought to try my luck here.

I am trying to create fully custom UI using just the auth0 api for authentication logic.
I cannot create my UI with universal login.

There seems to be 2 big problems with auth0 authentication api when used with mfa.

  1. When performing /authorize call to do social login(trough api redirect, or with auth0sdk) It will still still attempt to render universal login mfa page in case mfa is required(to setup new device, or input OTP) It happens because i have tenant with auth0 mfa rule, and there is piece of code that checks if user has completed mfa or not and sets:
      context.multifactor 

I need this line of code, because when using other api calls, it will return “mfa_required” with mfaToken.
I expect the same error to return when doing social login, but instead it renders the universal login just in that case…

  1. Refreshing tokens, getting refreshToken and using it receive new accessToken works just fine, except if its user with mfa enabled, it will require to redone mfa everytime you try to refreshToken.
    Through universal login it doesnt happen because it probably sets some special cookie that remembers you have completed mfa, and this line of code in auth0 rule will find:
context.authentication.methods.find((method) => method.name === "mfa");

When its not done trough universal login, it will not find the “method” and require to do mfa again.

Any ideas?

1 Like