How to add MFA to Authorization Code Flow

your3i.dev · March 4, 2023, 2:11am

I have a web application that its signin/up feature is implemented with Authorization Code Flow.
I wanted customized login UI so I used Auth0 Authentication APIs rather than Universal Login.
Now We want to add MFA (OTP) to the app.

I have a problem that I don’t know how to add MFA to the current Authorization Code Flow.
When should I ask user for an OTP? After authentication or after Authorization Code Flow ends?

I read this document.
And I noticed that to verify the OTP I should post the OTP to the oauth/token endpoint and I will get an access_token.
But according to Authorization Code Flow, authorization code is posted to oauth/token endpoint to get an access_token.

So I’m totally confused…Please help me. Thank you.

your3i.dev · March 5, 2023, 3:20am

I found this document from this post, and now I understand that MFA is just a way for the authorization server to authenticate user.

So after MFA enabled, I should use “mfa-oob” as the grand_type oauth/token endpoint, right?
But there’s no “refresh_token” in the response, how to refresh token?