We allow our user to either choose between SMS or google authenticator app.
and the first time they pick one the process runs through just fine.
When a user wants to change, out api get this error:
{"error"=>"access_denied", "error_description"=>"User is already enrolled."}
Any help would be much appreciated
2 Likes
Hello!
Could you give us more technical information about how you perform this MFA factor change?
Thanks.
1 Like
Hi @lucas.sonich
Thanks for replying
Well, to associate an OTP device I use:
I get the mfa_token
using the /token
I call the /mfa/associate
end point using the new mfa_token from step 1
headers = { 'Content-Type' => 'application/json', 'Authorization' => "Bearer #{mfa_token}" }
body =
{
authenticator_types: ['otp'],
scope: 'enroll read:authenticators remove:authenticators',
audience: "#{RunEnv.var!('AUTH0_BASE_URL')}/mfa/"
}
request = HTTParty.post(
"#{RunEnv.var!('AUTH0_BASE_URL')}/mfa/associate",
body: body.to_json,
headers: headers
)
Worth to say, that the first time I associate a device it works fine
2 Likes
Unfortunately, you can’t overwrite the factor. First, you should remove the google authenticator app and then add the SMS factor (or backwards). I hope that information is useful.
Thanks.
1 Like
Great, thanks for the response, now that you mention the deletion I must link to my previous question
After having MFA up and running successfully.
User want to add a new phone number/change the device, we remove the old enrollment (with success) and associate a new (with success as well). Up to there everything is fine (we get a new mfa_token and a new oob_code) which we use to verify along with the new binding_code (sent to the new device), but the verification fails:
{"error":"invalid_request","error_description":"The oob_code doesn't match the mfa_token"}
Any help, much appreciated …
I could add more code, if needed.
1 Like
@lucas.sonich I’ve deleted the previous factor successfully (response 204 and it’s not shown anymore in the dashboard).
When adding the new factor (same code as shown above), I still receive the same response: {"error"=>"access_denied", "error_description"=>"User is already enrolled."}
Any idea how to proceed?
Thanks in advance
1 Like
Hello again!
Could you please give us more details about the call and the specific request that your are making.
Thanks.
1 Like