How to add MFA to Authorization Code Flow

your3i.dev · March 4, 2023, 2:11am

I have a web application that its signin/up feature is implemented with Authorization Code Flow.
I wanted customized login UI so I used Auth0 Authentication APIs rather than Universal Login.
Now We want to add MFA (OTP) to the app.

I have a problem that I don’t know how to add MFA to the current Authorization Code Flow.
When should I ask user for an OTP? After authentication or after Authorization Code Flow ends?

I read this document.
And I noticed that to verify the OTP I should post the OTP to the oauth/token endpoint and I will get an access_token.
But according to Authorization Code Flow, authorization code is posted to oauth/token endpoint to get an access_token.

So I’m totally confused…Please help me. Thank you.

your3i.dev · March 5, 2023, 3:20am

I found this document from this post, and now I understand that MFA is just a way for the authorization server to authenticate user.

So after MFA enabled, I should use “mfa-oob” as the grand_type oauth/token endpoint, right?
But there’s no “refresh_token” in the response, how to refresh token?

Topic		Replies	Views
Request MFA with an already MFA authenticated token? Help	1	1756	July 26, 2022
The /oauth/token endpoint returns either ACCESS_TOKEN or MFA_TOKEN -I need both Help mfa , one-time-password-otp-factor	0	960	June 8, 2023
OTP Screen After login Help mfa , mfa-api	5	872	November 16, 2023
Auth0 mfa-otp grant flow sequence diagram or something like that? Help oauth2	4	3104	November 28, 2021
MFA: Enrolling OTP on NextJS frontend Help mfa , one-time-password-otp-factor	2	1565	June 27, 2023

How to add MFA to Authorization Code Flow

Related topics