{"error"=>"access_denied", "error_description"=>"User is already enrolled."}

We allow our user to either choose between SMS or google authenticator app.
and the first time they pick one the process runs through just fine.

When a user wants to change, out api get this error:
{"error"=>"access_denied", "error_description"=>"User is already enrolled."}

Any help would be much appreciated :slight_smile:

2 Likes

Hello!

Could you give us more technical information about how you perform this MFA factor change?

Thanks.

1 Like

Hi @lucas.sonich

Thanks for replying :slight_smile:

Well, to associate an OTP device I use:

  1. I get the mfa_token using the /token
  2. I call the /mfa/associate end point using the new mfa_token from step 1
headers = { 'Content-Type' => 'application/json', 'Authorization' => "Bearer #{mfa_token}" }
body =
  {
    authenticator_types: ['otp'],
    scope: 'enroll read:authenticators remove:authenticators',
    audience: "#{RunEnv.var!('AUTH0_BASE_URL')}/mfa/"
  }

request = HTTParty.post(
  "#{RunEnv.var!('AUTH0_BASE_URL')}/mfa/associate",
  body: body.to_json,
  headers: headers
)

Worth to say, that the first time I associate a device it works fine

2 Likes

Unfortunately, you can’t overwrite the factor. First, you should remove the google authenticator app and then add the SMS factor (or backwards). I hope that information is useful.

Thanks.

1 Like

Great, thanks for the response, now that you mention the deletion I must link to my previous question

I could add more code, if needed.

1 Like

@lucas.sonich I’ve deleted the previous factor successfully (response 204 and it’s not shown anymore in the dashboard).

When adding the new factor (same code as shown above), I still receive the same response: {"error"=>"access_denied", "error_description"=>"User is already enrolled."}

Any idea how to proceed?

Thanks in advance

1 Like

Hello again!

Could you please give us more details about the call and the specific request that your are making.

Thanks.

1 Like