We’re using the New Universal login for authentication and we want to use MFA Email and/or SMS.
Universal login doesn’t allow MFA email as a single factor, so we want to build a custom MFA page to do it ourselves by using MFA API.
The issue is that when we want to challenge a MFA factor we need a MFA_TOKEN. This token only seems to be granted through ROPG flow. But we’re using universal login and not ROPG.
I expect the flow would be something as you describe.
Your fourth point yes it does work
When you get redirected to your external MFA pages you will receive a code as part of the redirection (providing authentication was successful). You’ll then have to use the code in a POST request to /oauth/token
This will produce an Access Token which you can use on the /mfa/associate endpoint to enrol an MFA factor.
When the user is redirected to your app you send another /authorise with your API as the audience/API scopes, use prompt=none to make a silent auth request and a new Access Token will be returned without the user having to re-authenticate as they already did this for MFA and the server session should still be valid.