Conditional multi-factor rule removes permissions from JWT

jmangelo · December 26, 2019, 11:04am

I was unable to reproduce this in a lab environment with only that rule enabled; for reference here’s the steps I did:

create a user, API and client application.
enable RBAC in API, set a permission directly to the user and configure user metadata to not request MFA.
login with the user and confirm the permissions are there in the token.
enable MFA in user metadata.
login again with the user.

In the last step I still saw permissions in the access token.

Can you confirm that is the only rule you have enabled in the tenant? If it is not it would be worthwhile to test with all other rules disabled and also provide more information about how you’re performing the login. For example, I used the new universal login experience to complete my test logins.

Topic		Replies	Views
Conditional MFA Not Working Get Help	3	2775	October 8, 2020
Use Rule to disable MFA Get Help mfa	4	4168	June 28, 2022
How to Enable MFA for a Subset of Users Knowledge Articles mfa , management-api , users , rule , user-profile , actions , use-mfa	1	10304	July 22, 2022
Migrating MFA rule to action Get Help mfa , mfa-api	6	739	October 25, 2023
Access token is missing permissions when using MFA Get Help jwt , mfa	5	2985	March 24, 2021

Conditional multi-factor rule removes permissions from JWT

Related topics