Excluding users from MFA with rules breaks consent pop up

We added a rule that overwrites the context.multifactor field for users with specific user names. The exclusion itself worked as expected, but we saw an issue with the first log in of new users: after approving in the consent, the browser gets an error page.

This is the rule:

function (user, context, callback) {
  const EXCULDED_USER_PREFIXES = [
    'user1',
    'user2',
  ];
  
  if (EXCULDED_USER_PREFIXES.some(prefix => user.email.startsWith(prefix))) {
    context.multifactor = {
      provider: 'none',
    };
  }
  
  callback(null, user, context); 
}

This is the error message (from the logs) after the user clicks the consent approve button (reducted):

{
  "date": "2022-11-07T21:08:20.946Z",
  "type": "f",
  "description": "Unable to correlate completed consent.",
  "connection": "console-username-password-auth",
  "connection_id": "*****",
  "client_id": "*****",
  "client_name": "*****",
  "ip": "*****",
  "user_agent": "HeadlessChrome 106.0.5249 / Linux 0.0.0",
  "details": {
    "body": {},
    "qs": {
      "state": "aunPKSoGQ0ounwv8P8zeex53859HEzqP"
    },
    "connection": "console-username-password-auth",
    "error": {
      "message": "Unable to correlate completed consent.",
      "oauthError": "server_error",
      "type": "oauth-authorization"
    },
    "session_id": "Jc8r2nrfKjUFXMrQnRDF5Us08iieDAE8",
    "riskAssessment": {
      "confidence": "high",
      "version": "1",
      "assessments": {
        "UntrustedIP": {
          "confidence": "high",
          "code": "not_found_on_deny_list"
        },
        "NewDevice": {
          "confidence": "high",
          "code": "initial_login"
        },
        "ImpossibleTravel": {
          "confidence": "high",
          "code": "initial_login"
        }
      }
    },
    "actions": {
      "executions": [
        "zFw9eSvZSge2Gi9YubrK9zIwMjIxMTA3"
      ]
    }
  },
  "hostname": "*****",
  "user_id": "*****",
  "user_name": "*****",
  "strategy": "auth0",
  "strategy_type": "database",
  "organization_id": "*****",
  "organization_name": "*****",
  "audience": "https://*****.us.auth0.com/userinfo",
  "scope": [
    "openid",
    "profile",
    "email",
    "offline_access"
  ],
  "log_id": "90020221107210823951273628476824183673115586323980222514",
  "_id": "90020221107210823951273628476824183673115586323980222514",
  "isMobile": false,
  "id": "90020221107210823951273628476824183673115586323980222514"
}

On subsequent logins the consent window is not shown, and there are no errors.

Is this an issue with how the rule works or a maybe a bug in the consent mechanism?

+1 Same problem here

+1 one this. Any remediation available? I have some users with MFA enabled and others I (as seen above) disable

+1 For this too, bypassing MFA for SSO users.

For those experiencing this issue, I raised a ticket and it was resolved by Thameera Senanayaka. He suggested reversing the logic, so that MFA is globally turned off and enabled in the Action, rather than the other way round. This resolved the issue for me.

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.