Overview
There are 3 properties on the post login action event related to MFA:
event.user.multifactorevent.user.enrolledFactorsevent.authentication.methods
These event properties do not behave correctly according to the documentation.
Background
I’m writing a post-login action to add a custom claim to the id token to indicate if the user used MFA to login. This is the action I’m testing:
exports.onExecutePostLogin = async (event, api) => {
console.log(
[
JSON.stringify(event.user.multifactor ?? "undefined"),
JSON.stringify(event.authentication?.methods ?? "undefined"),
JSON.stringify(event.user.enrolledFactors ?? "undefined"),
].join(' ')
);
const mfaEnrolled = (
(event.user.multifactor?.length ?? 0) > 0
|| (event.user.enrolledFactors?.length ?? 0) > 0
|| event.authentication?.methods.some(m => m.name === "mfa")
)
api.idToken.setCustomClaim("urn:my-company:mfa-enrolled", mfaEnrolled);
};
For existing users with MFA enrolled, using either the Authorization Code Flow or the Refresh Token Flow, I get the following values:
event.user.multifactor = ["guardian"]event.user.enrolledFactors = [{"type": "otp"}, {"type": "recovery-code"}]event.authentication.methods- Authorization Code Flow:
= [{"name": "federated", "timestamp": "..."}] - Refresh Token Flow:
= []
- Authorization Code Flow:
Note that the event.authentication.methods never includes a {"name": "mfa"}, even though the documentation states:
Contains the authentication methods a user has completed during their session… The value “mfa”. The user completed multi-factor authentication (second or later factors).
For new users that enroll with MFA, using the Authorization Code Flow, I get the following values:
event.user.multifactor = []event.user.enrolledFactors = []event.authentication.methods = [{"name": "federated", "timestamp": "..."}]
Given that these users have enrolled with MFA, I would expect the event.user.multifactor and event.user.enrolledFactors properties to be populated.
In case it’s relevant, I have the “Customize MFA Factors using Actions” feature enabled.