I am having trouble setting up OTP and MFA using embedded login for our application.
Using Twillio and Auth0, I have managed to set up a phone number that sends a OTP. From here, using API calls we are able to use this OTP and get an MFA token. However, whenever I try and use this MFA token to authenticate myself/user it claims the mfa token can’t be found. I am finding the documentation very confusing and seeing several different code segments, I’m not sure if I’m using the right code or steps.
This is the order of the curl commands I’m using, which I plan to implement as API calls in my react native code but I can’t figure out if i’m doing the steps correctly:
#GET OTP
curl --request POST \
--url 'https://our_domain/passwordless/start' \
--header 'content-type: application/json' \
--data '{ "client_id": "our_client_id", "connection": "sms", "phone_number": "number", "send": "code"}'
#RESPONSE
{"_id":"string_of_numbers_and_letters","phone_number":"number_put_in","phone_verified":false,"request_language":null}%
For this curl command, I’m not sure if I’m putting the right audience and scope:
#GET MFA
curl --request POST \
--url 'https://our_domain/oauth/token' \
--header 'content-type: application/json' \
--data '{ "grant_type": "http://auth0.com/oauth/grant-type/passwordless/otp", "client_id": "our_client_id", "username": "phone_number", "otp": "code", "realm": "sms", "audience": "https://domain/api/v2/", "scope": "openid"}'
#RESPONSE
{"error":"mfa_required","error_description":"Multifactor authentication required","mfa_token":"long_string_of_characters"}
#INPUT MFA
curl --request POST \
--url 'https://our_domain/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=http://auth0.com/oauth/grant-type/mfa-otp \
--data 'client_id=client_id' \
--data client_secret= client_secret\
--data mfa_token=token_given_from_last_curl_command \
--data otp=otp
#RESPONSE
zsh: no matches found: mfa_token=the_mfa_i_got_from_last_comand