We are still having issues with this …
FYI: we are using an embedded login implementation using the auth0.js SDK. Using the universal login is not an option for us. We where using the implicit flow, but already refactored this to the Code authorization flow to test the following:
- We created a rule that checks if a certain extra scope is asked for then it triggers the MFA error.
- After that we tried to trigger this rule in our application
- by doing a silent authentication using checkSession with the extra scope as a parameter. But this doesn’t work, we get a login_required error with description ‘Multi factor authentication is required’ in stead of a mfa_required error. The login_required error doesn’t have a mfa_token we can use to start the MFA flow
- after that we enabled the refresh_token because we saw that the oauth/token call does trigger the mfa_required error (however we don’t think the refresh token is a good solution, we just wanted to check if this could work). And when refreshing the token with adding the scope in the body (which isn’t a known property) the rule is triggered and we get our mfa_required error with the mfa_token. And we can use this token to complete the MFA flow, but the token we get at the end doesn’t include our extra scope and we don’t have the AMR or ACR property in our id token as is described here (Configure Step-up Authentication for Web Apps). Probably because the refresh token grant doesn’t take the scope parameter into account.
Any idea what the best solution is to do a step-up authentication using the embedded screens (as well the login, as the screen to enter the OOB code)?