Cannot bypass mfa in actions

Hello all, I am implementing optional 2fa into a react web app and encountering an issue where getAccessTokenSilently always fails with a Multifactor authentication required error.

My approach is to check if the user has already passed mfa at least once in their session inside of the onExecutePostLogin action, and bypass mfa is that the base, my code looks like so:

exports.onExecutePostLogin = async (event, api) => {

  if(event.authentication) {
    console.log(event.authentication)
    if (event.authentication.methods.find(({ name }) => name === 'mfa') ) {
      console.log('mfa already passed, disabling for this login attempt')
      api.multifactor.enable("none");
    }
  } else {
    console.log('no authentication methods recorded', event)
  }
};

When watching the logs in real time as I refresh the page (which results in a call to getAccessTokenSilently), I can see the action logging as I expect. It still always fails though.

The only other thing I can think of is that my audience that I am using for loginWithRedirect and getAccessTokenSilently is https://{myDomain}/mfa/ and I am requesting scopes to be able to list/add authenticators. Is there another hidden layer of logic outside of my control that is always enforcing mfa based on the audience and scopes I am requesting?

Hey there @chrdevmar welcome to the community!

This is exactly what looks to be happening, see the warning :warning: here.

Ok thanks for confirming that, in that case I guess I will need to build my UX flow such that they have to interactively log in (seperate to their regular login) to get an mfa token at the time they want to add mfa to their account.

In terms of being to determine if they already have mfa setup, I was listing authenticators with the mfa api but I definitely don’t want to redirect them to the login screen just for this. Can I instead do this in the post login action by checking enrolled factors and attaching metadata to the user?

No problem, happy to help!

Yes, assuming a non-MFA API audience you should just be able to check for enrolled factors - event.user.multifactor will provide an array of enrolled factors.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.