Can we use context.redirect after context.multifactor?

o.bezhan · April 27, 2023, 2:12pm

Hello! We have a problem with Rules & MFA enrolments and I’m not sure if we are doing something wrong, or Auth0 doesn’t support what we want.
We have rule, that redirects user to our custom UI during the first login to set the security question: (simplified code)

 function checkSecurityQuestionsSet(user, context, callback) {
    user.app_metadata = user.app_metadata || {};
    if (context.protocol === "redirect-callback") {
        // User was redirected to the /continue endpoint and they have completed security questions
        return callback(null, user, context);
      } else {
        if (!user.app_metadata.securityQuestionsCaptured){
            redirectTo = url.format({
                protocol: "https",
                host: "our_custom_ui"
                pathname: "/securityQuestions",
                query: { token: idToken },
              });
              context.redirect = {
                url: redirectTo,
              };
              return callback(null, user, context);
        }
        return callback(null, user, context);
      }
    }

It works fine, but now we want to enable MFA for some users as well. I modified the rule:

 function checkSecurityQuestionsSet(user, context, callback) {
    user.app_metadata = user.app_metadata || {};
    if (context.protocol === "redirect-callback") {
        // User was redirected to the /continue endpoint and they have completed security questions
        return callback(null, user, context);
      } else {
        if (user.app_metadata.mfa_enabled){
            context.multifactor = {
                provider: 'any',
                allowRememberBrowser: false
              };
              return callback(null, user, context);
        }

        if (!user.app_metadata.securityQuestionsCaptured){
            redirectTo = url.format({
                protocol: "https",
                host: "our_custom_ui"
                pathname: "/securityQuestions",
                query: { token: idToken },
              });
              context.redirect = {
                url: redirectTo,
              };
              return callback(null, user, context);
        }
        return callback(null, user, context);
      }
    }

I expect it to redirect user to our custom UI after MFA enrollment - something like:

User log in
Select preferred MFA method
Set up it
Auth0 redirect user to /securityQuestions
Fill in things in our custom UI
Redirect back to Auth0 /continue
Complete login and redirect to the application.

But instead, Auth0 redirects user to the application right after MFA enrollment - looks like it ignores context.redirect at all. Any ideas?