I have a web application that its signin/up feature is implemented with Authorization Code Flow.
I wanted customized login UI so I used Auth0 Authentication APIs rather than Universal Login.
Now We want to add MFA (OTP) to the app.
I have a problem that I don’t know how to add MFA to the current Authorization Code Flow.
When should I ask user for an OTP? After authentication or after Authorization Code Flow ends?
I read this document.
And I noticed that to verify the OTP I should post the OTP to the oauth/token endpoint and I will get an access_token.
But according to Authorization Code Flow, authorization code is posted to oauth/token endpoint to get an access_token.
So I’m totally confused…Please help me. Thank you.