How to Persist MFA Verification Status in Access Token During Refresh Token Exchange in Auth0 Actions?

Hey everyone!

I’m using Auth0 Post Login Actions to set a custom claim (mfaVerified = true/false) in the access token based on whether a user was challenged with MFA during login. I want this status/custom claim to persist in new access tokens issued during refresh token exchanges (since it’s the same session). However, during refresh flows, event.authentication.methods is empty, so I can’t re-evaluate MFA status directly.

Is there a recommended way to persist session-specific data like MFA status across refresh token exchanges in Auth0 Actions, or a better approach to handle this use case without incorrectly carrying over the status to new sessions after logout?

Any insights or best practices would be appreciated!

Hi @daniel.bozinovski

I am sorry about the delayed response to your inquiry!

You should be able to bypass MFA on token refresh by adding this line of code inside a PostLogin Trigger:

if (event.transaction.protocol === "oauth2-refresh-token") {
    //code to persist custom claim comes here
    return;
  }

This will allow users which authenticate via the above protocol (the ones used on token refresh) to not be asked for MFA.

If you have any other questions, let me know!

Kind Regards,
Nik

Hey @nik.baleca , thanks for the reply again!

That make sense. How do you advise persisting the custom claim? Should it be saved to app/user metadata and then extracted during exchanges?

Thanks!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.