Hello all, I am implementing optional 2fa into a react web app and encountering an issue where getAccessTokenSilently
always fails with a Multifactor authentication required
error.
My approach is to check if the user has already passed mfa at least once in their session inside of the onExecutePostLogin
action, and bypass mfa is that the base, my code looks like so:
exports.onExecutePostLogin = async (event, api) => {
if(event.authentication) {
console.log(event.authentication)
if (event.authentication.methods.find(({ name }) => name === 'mfa') ) {
console.log('mfa already passed, disabling for this login attempt')
api.multifactor.enable("none");
}
} else {
console.log('no authentication methods recorded', event)
}
};
When watching the logs in real time as I refresh the page (which results in a call to getAccessTokenSilently
), I can see the action logging as I expect. It still always fails though.
The only other thing I can think of is that my audience that I am using for loginWithRedirect
and getAccessTokenSilently
is https://{myDomain}/mfa/
and I am requesting scopes to be able to list/add authenticators. Is there another hidden layer of logic outside of my control that is always enforcing mfa based on the audience and scopes I am requesting?