Auth0 Home Blog Docs

Automate device enrolment process for testing


To whom it may concern,

I’m trying to automate enrolment process through UI using selenium webdriver. My issue is that when I’m seeing the QR code for guardian app I can extract the otpauth URI and have all the necessary params to generate the OTP. Now I’m at the request to associate an authenticator (UI did that for me and QR code is displayed) step and I want to confirm the authenticator association by calling oauth/token with body

{ “client_id”: “YOUR_CLIENT_ID”, “client_secret”: “YOUR_CLIENT_SECRET”, “grant_type”: “”, “mfa_token”: “YOUR_MFA_TOKEN”, “otp”: “000000” }

At the moment that the UI is waiting for an app to scan the QR code I have the secret key so I can generate an OTP which is required for the above call, I have the client_id and the client_secret but I’m missing the mfa_token.

Do you have any idea on how to obtain mfa_token ??
Have I understand correctly the flow of the UI ?


:wave: @evlastos I am not too familiar with using selenium to test out the guardian app. I am going to check with my team to see what the approach would be here!


@evlastos I apologise for the delay in a response. Were you able to get this resolved? If not, please let me know.


Hi @jerdog

No I haven’t resolved it yet.


Hey there @evlastos, we actually have a blog post written about pulling the MFA token through the MFA api. This may be what you are looking for so I have posted a snippet it from the article below. However if by chance I am mistaken please let me know and we can work together to overcome this challenge!

request to the /token endpoint is performed.

POST /oauth/token HTTP/1.1

  "mfa_token": "<from step 1>",
  "oob_code": "<from step 2, optional>",
  "binding_code": "<from step 3, if 'binding_method' === 'prompt'>",
  "otp": "<from step 3, if challenge_type === 'otp'>",
  "grant_type": "<one of two strings, see below>"

Grant type must be one of two values: - For OTP: - For OOB:


HTTP/1.1 200 OK

  "access_token": "...",
  "expires_in": "...",

Note that certain methods do not require the user to input anything (push notifications, for example). For those cases, this request must be performed repeatedly until an access token is returned or the authorization is denied. If the client is expected to repeat the request again in the future (after a certain amount of time) the response will be:

HTTP/1.1 400 Bad Request

  "error": "authorization_pending"

This means the user has not performed any actions yet and the client should wait a bit before trying again. The error can also be slow_down if the client is not waiting enough between requests.

That’s it! If all went well, you now have an access token issued through MFA!


I wanted to follow up @evlastos and see how everything is going on the MFA front? Please let me know if you have any additional questions. Thanks!

closed #9

This topic was automatically closed after 25 days. New replies are no longer allowed.