Cannot bypass mfa in actions

chrdevmar · August 6, 2024, 7:47am

Hello all, I am implementing optional 2fa into a react web app and encountering an issue where getAccessTokenSilently always fails with a Multifactor authentication required error.

My approach is to check if the user has already passed mfa at least once in their session inside of the onExecutePostLogin action, and bypass mfa is that the base, my code looks like so:

exports.onExecutePostLogin = async (event, api) => {

  if(event.authentication) {
    console.log(event.authentication)
    if (event.authentication.methods.find(({ name }) => name === 'mfa') ) {
      console.log('mfa already passed, disabling for this login attempt')
      api.multifactor.enable("none");
    }
  } else {
    console.log('no authentication methods recorded', event)
  }
};

When watching the logs in real time as I refresh the page (which results in a call to getAccessTokenSilently), I can see the action logging as I expect. It still always fails though.

The only other thing I can think of is that my audience that I am using for loginWithRedirect and getAccessTokenSilently is https://{myDomain}/mfa/ and I am requesting scopes to be able to list/add authenticators. Is there another hidden layer of logic outside of my control that is always enforcing mfa based on the audience and scopes I am requesting?

tyf · August 6, 2024, 10:31pm

Hey there @chrdevmar welcome to the community!

This is exactly what looks to be happening, see the warning here.

chrdevmar · August 6, 2024, 11:17pm

Ok thanks for confirming that, in that case I guess I will need to build my UX flow such that they have to interactively log in (seperate to their regular login) to get an mfa token at the time they want to add mfa to their account.

In terms of being to determine if they already have mfa setup, I was listing authenticators with the mfa api but I definitely don’t want to redirect them to the login screen just for this. Can I instead do this in the post login action by checking enrolled factors and attaching metadata to the user?

tyf · August 7, 2024, 9:30pm

No problem, happy to help!

Yes, assuming a non-MFA API audience you should just be able to check for enrolled factors - event.user.multifactor will provide an array of enrolled factors.

system · August 21, 2024, 9:31pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Workaround for MFA error when using getAccessTokenSilently with React Help auth0-react , sdks-quickstarts	3	1928	April 26, 2023
MFA is always required Help mfa , one-time-password-otp-factor	2	31	November 6, 2024
MFA migrating from rules to action causes OTP Auth failed Help mfa , one-time-password-otp-factor	5	208	July 2, 2024
MFA Failing with Action but not Rule Help	2	1572	September 29, 2022
Bypass Adaptive MFA using Actions Knowledge Articles multi-factor , actions , adaptive_mfa	1	958	November 30, 2023

Cannot bypass mfa in actions

Related Topics