How to build custom MFA pages

Get Help
,
1

Hi,

We’re using the New Universal login for authentication and we want to use MFA Email and/or SMS.

Universal login doesn’t allow MFA email as a single factor, so we want to build a custom MFA page to do it ourselves by using MFA API.

The issue is that when we want to challenge a MFA factor we need a MFA_TOKEN. This token only seems to be granted through ROPG flow. But we’re using universal login and not ROPG.

The documentation here is unclear to understand how to achieve this : Manage Authentication Factors with Authentication API

Thank you

4

Hi @jeremie.poisson

Thanks for getting in touch with us at Auth0 Community.

It’s correct that the ROPG flow does give you the mfa_token but you can still use Universal Login providing you use the correct audience and scopes when making the request as per https://auth0.com/docs/secure/multi-factor-authentication/manage-mfa-auth0-apis/manage-authenticator-factors-mfa-api#universal-login e.g. a login request may redirect to the /authorize endpoint with the following information:

https://{your_domain}/authorize?&
response_type=code&
client_id={your_client_id}& 
redirect_uri=http://jwt.io&
scope=enroll+read:authenticators&
audience=https://{your_domain}/mfa/&
state=STATE

This will produce a JWT access token that you should be able to use in the rest of the flow where mfaToken is referenced e.g for SMS or voice see the flow here https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-challenge-sms-voice-authenticators#enroll-with-sms-or-voice

Warm regards.

5

Hi,

Ok that’s interesting but we already specify an audience for one of our API.

And Auth0 doesn’t support multiple audiences

6

@jeremie.poisson I believe you would have to send another /authorize request with a new audience see https://community.auth0.com/t/how-to-specify-multiple-audiences-on-authorize-method/81072/6

7

So the flow will be something like :

  • User goes to the app
  • User hit “Login” button
  • The user is redirect to Auth0 with an /authorize request with https://{your_domain}/mfa/ audience
  • The user enters login/password (Does it works ?)
  • He gets redirected to our external MFA pages with Actions (How can we have a Access Token to use here if we didn’t complete the process) ?
  • User verify/enroll MFA
  • He gets redirected to the app
  • The app send another /authorize request (another redirection?)

That’s unclear here for me

8

Hi @jeremie.poisson

I expect the flow would be something as you describe.

Your fourth point yes it does work :slight_smile:

When you get redirected to your external MFA pages you will receive a code as part of the redirection (providing authentication was successful). You’ll then have to use the code in a POST request to /oauth/token

This will produce an Access Token which you can use on the /mfa/associate endpoint to enrol an MFA factor.

When the user is redirected to your app you send another /authorise with your API as the audience/API scopes, use prompt=none to make a silent auth request and a new Access Token will be returned without the user having to re-authenticate as they already did this for MFA and the server session should still be valid.

I hope this makes sense.

Warm regards.