getAccessTokenSilently results in a 403 when ignoreCache is set to true

Please include the following information in your post:

  • Which SDK this is regarding: Auth 0 React
  • SDK Version: 1.10.20
  • Platform Version: Windows 11
  • 403 Error

In an effort to force reissue an access token, I have set ignoreCache to true. I am using refresh tokens and also set my cache location to local storage. The reason I am attempting to force reissue a refresh token is because I would like to refresh the access token before it actually expires. Is the issue caused by setting ignoreCache to true? Thanks in advance for any help.

1 Like

Hi @franz.salvador,

Welcome to the Auth0 Community!

Can you please share the entire error? There should be more information to help you understand what is going wrong.

Hi Dan,

Here is the error.
err = Error: Multifactor authentication required at new OAuthError
Can this be related to setting the cacheLocation to “local storage”, then setting the ignoreCache option to true when calling getTokenSilently?

If I set the ignoreCache option to false, it works perfectly.

1 Like

This error suggests the user must authenticate with their MFA to obtain a token. It isn’t possible to get a token silently when it requires user interaction (MFA).

Setting ignoreCache to true means that the SDK must reach out to Auth0 for a new token, and can’t used a token that already exists in the cache.

Here’s a thread on how you can handle this situation:

1 Like

I see. Thanks for your help Dan!

1 Like

So just to confirm, there is no way to get the token silently when MFA is enabled? MFA is one of our requirements. When I initially login it works. When I try to get a new access token, that’s when I receive an error. Thanks again for your help.

1 Like

I saw the post about setting up a rule for MFA to occur only once per session. I’ll try and implement now. Disregard last post.

1 Like

Sounds good, let us know what you find.

Works like a charm. The only issue that needed to be addressed is detecting if the client is calling getTokenSilently and has a refresh token. In order to check this, we needed to check context.protocol. If refresh token is used, bypass mfa athentication since the refresh token has been granted. We are running node 12 so code may seem a bit outdated.

  const requiresMfa = function (context, user) {
    const refreshTokenProtocol = 'oauth2-refresh-token';
    const isRefreshTokenProtocol = context.protocol === refreshTokenProtocol;

    let authMethods = [];
    if (context.authentication && Array.isArray(context.authentication.methods)) {
      authMethods = context.authentication.methods;
    }
    const isMFAAuthenticated = Boolean(authMethods.find(method => method.name === 'mfa'));

    if (isRefreshTokenProtocol || isMFAAuthenticated) {
      return false;
    }
    return true;
  };
3 Likes

Perfect. Thanks for the explainer and code sample :raised_hands: