Hello,
I’ve implemented a couple of applications & APIs as a prototype for integrating with Auth0. Part of that prototype includes enrolling in & using MFA. The MFA works as follows:
- User logs in and lands on their dashboard
- Dashboard contains a button to initiate MFA enrollment
- Management API (via my custom API layer) is used to add an
mfa
flag to the profile’suser_metadata
- Browser is sent back through the login flow (using the JS SDK)
- Rule detects the
mfa
flag and sets the context to require a multi-factor challenge - User is directed to the MFA page and given the opportunity to enroll
This works just fine if the user attempts to enroll after a straight login. However, if the user attempts to enroll immediately after signing up, they are prompted for their credentials again. Is there a way to make both scenarios work without requiring the user to log in again? Conversely, can we always require a re-log before enrolling in MFA? My Product team would at least like the behavior to be consistent
I don’t know if it matters, but my front-end is Angular 10, with the auth0-js
library, and my back-end is a Spring Boot API with the Auth0 Spring Security library. My MFA rule is below:
function rule(user, context, callback) {
// Don't challenge for MFA if the user did it in the current session
const completedMfa = !!context.authentication.methods.find(
(method) => method.name === 'mfa'
);
if (completedMfa) {
return callback(null, user, context);
}
// Check to see if they user is enrolled in MFA
user.user_metadata = user.user_metadata || {};
if (user.user_metadata.mfa) {
context.multifactor = {
provider: 'any',
};
}
callback(null, user, context);
}
Thanks in advance for any help you can provide,
–
Eric