I am trying to implement some conditional MFA by following this article Customize Multi-Factor Authentication Pages
The idea is that users will only be asked to perform MFA once per session rather than every time the JWT expires. I have a JWT expiry of 15 minutes. My client is an SPA.
I have a rule which checks if MFA has been performed for the current session and if not requests it by setting the context.multifactor property. My rule looks like this:
function multifactorAuthentication(user, context, callback) {
const completedMfa = !!context.authentication.methods.find(
(method) => method.name === 'mfa'
);
console.log('multifactorAuthentication - MFA completed was:', completedMfa);
if (!completedMfa) {
console.log('Request MFA');
context.multifactor = {
provider: 'any',
allowRememberBrowser: false
};
}
callback(null, user, context);
}
By looking at the real time logs, I can see that the first time the user logs in, the completedMfa flag is set to false and context.multifactor object is initialised.
When the JWT has expired, the SPA code calls checkSession() which results in my rule being executed again. This time the completedMfa flag is true and the conditional block setting up MFA is skipped. However, checkSession is returning an error saying login required. It appears that my script is not having any affect on whether MFA is required or not. What am I missing here?