Guardian MFA without prompt

Hey guys,

not sure if this is the right place for this question.

Is it possible to to use authorize({ prompt: ‘none’}) and still use Guardian?

Scenario:
I’m not using Guardian for the initial login but want to trigger it for a different audience at any stage during the users session. So I’d be calling authorize again with a different audience in order to get a short lived access token for a special api endpoint.

This works fine - however the user always has to confirm his identity on the one click sso login page and only then gets redirected to Guardian. I want the user to skip this page. When I turn ‘prompt’ to ‘none’ all I get back is an error saying ‘mfa is required’.

Thanks for any hint/help
Matt

We do provide a way for you to trigger MFA for different stages or triggers

Thanks Jeremy,

it’s less about how to trigger MFA. I went through the documentation and could not find a way for the user to skip the login screen before he hits Guardian.

Can you point me into the right direction?

Thanks
Matt

Hi Matt,

Maybe you could try using the following snippet in the Login Hosted page (https://manage.auth0.com/#/login_page)

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
  <title>Sign In with Auth0</title>
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
</head>
<body>

  <!--[if IE 8]>
  <script src="//cdnjs.cloudflare.com/ajax/libs/ie8/0.2.5/ie8.js"></script>
  <![endif]-->

  <!--[if lte IE 9]>
  <script src="https://cdn.auth0.com/js/base64.js"></script>
  <script src="https://cdn.auth0.com/js/es5-shim.min.js"></script>
  <![endif]-->
  <script src="https://cdn.auth0.com/js/lock/11.3/lock.min.js"></script>
  <script src="https://cdn.auth0.com/js/auth0/9.3.1/auth0.min.js"></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/fetch/2.0.4/fetch.min.js" integrity="sha256-eOUokb/RjDw7kS+vDwbatNrLN8BIvvEhlLM5yogcDIo=" crossorigin="anonymous"></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.5/lodash.js" integrity="sha256-URL6nHS/9miibsdDHZnKiIK/KBO538N+EfQFbgLwjNA=" crossorigin="anonymous"></script>
  
  <script>
    (function() {
      // Decode utf8 characters properly
      var config = JSON.parse(decodeURIComponent(escape(window.atob('@@config@@'))));
      config.extraParams = config.extraParams || {};
      var connection = config.connection;
      var prompt = config.prompt;
      var languageDictionary;
      var language;
    
      if (config.dict && config.dict.signin && config.dict.signin.title) {
        languageDictionary = { title: config.dict.signin.title };
      } else if (typeof config.dict === 'string') {
        language = config.dict;
      }
      var loginHint = config.extraParams.login_hint;
    
      var lock = new Auth0Lock(config.clientID, config.auth0Domain, {
        auth: {
          redirectUrl: config.callbackURL,
          responseType: (config.internalOptions || {}).response_type ||
            (config.callbackOnLocationHash ? 'token' : 'code'),
          params: config.internalOptions
        },
        assetsUrl:  config.assetsUrl,
        allowedConnections: connection ? [connection] : null,
        rememberLastLogin: !prompt,
        language: language,
        languageDictionary: languageDictionary,
        theme: {
          //logo:            'YOUR LOGO HERE',
          //primaryColor:    'green'
        },
        prefill: loginHint ? { email: loginHint, username: loginHint } : null,
        closable: false,
        // uncomment if you want small buttons for social providers
        // socialButtonStyle: 'small'
      });

      function skipLastTimePrompt(cb) {
        if (config.connection || (prompt && prompt !== 'none')) { return cb(); }
        
        fetch(config.authorizationServer.url + '/user/ssodata', { credentials: "same-origin" })
          .then(function(res) {
            return res.json();
          })
          .then(function(ssoData) {
            if (!ssoData || !ssoData.sso || !ssoData.lastUsedConnection || !ssoData.lastUsedConnection.name) {
              return cb();
            }

            var ssoOptions = _.assign({}, {
              domain: config.auth0Domain,
              clientID: config.clientID,
              redirectUrl: config.callbackURL,
              responseType: (config.internalOptions || {}).response_type ||
                config.callbackOnLocationHash ? 'token' : 'code',
            }, config.internalOptions);
            
            var webAuth = new auth0.WebAuth(ssoOptions);
            return webAuth.authorize({ connection: ssoData.lastUsedConnection.name });
         })
         .catch(cb);
      }
      
      skipLastTimePrompt(function(err) {
        if (err) {
          console.warn('Skip prompt error', err);
          // Ignore error, use standard lock
        }

        lock.show();
      });
    })();
  </script>
</body>
</html>

It basically uses a little JS to skip the “Last time you logged in…” dialog, the important part is the skipLastTimePrompt function. If it works, you should test and adapt it accordingly. Keep it mind, that, as is it will always skip the “Last time you logged in…” dialog, not only when it is followed by the MFA dialog.

Hope this helps :slight_smile:

1 Like