Hi, I am implementing Step-Up Authentication using Auth0’s /authorize endpoint. Users log in using Password Grant (/oauth/token with password grant type), and later, I need to trigger MFA for high-security actions (Step-Up Authentication).
My current flow: User logs in via Password Grant (no MFA required at this stage). When MFA is required, my backend redirects the user to /authorize with acr_values=http://schemas.openid.net/pape/policies/2007/06/multi-factor. The user is expected to complete MFA only, but instead, Auth0 prompts them to log in again before MFA.
The Issue:
Auth0 is asking users to log in again instead of just requiring MFA.
I expected that users who already logged in via Password Grant would not need to re-authenticate and would only be prompted for MFA.
My Question: How can I ensure that users are NOT required to log in again when triggering Step-Up Authentication via /authorize? Is there a way to establish an SSO session in Auth0 after logging in via Password Grant so that /authorize recognizes the session?
Any guidance would be greatly appreciated. Thanks!
The issue that you are facing can have different causes, but assuming Step-Up Authentication has been configured correctly for the Resource Owner Password Flow, the most common causes for the Step-Up Authentication requiring users to re-login before the MFA is prompted would be :
User attributes are updated mid-flow : Ensure the flow does not include any calls (via Rules, Actions, or extensions) to update user attributes such as email, email_verified, phone_number, or password. Any updates to user attributes that occur before or during the authentication process can force a re-login because the session is not recognized anymore;
A Tenant Flag needs to be enabled: there are some flags that, if not enabled, can cause this behavior ( such as allow_changing_enable_sso and enable_sso )
Please go over the documentation and the Actions that are in place on your tenant to see if everything is set up correctly and if user attributes are not being updated. If these check out, it is likely that a flag is missing from your tenant. If it turns out you need a flag enabled, please open a Support case with our team ( as I can see that you have access to an Enterprise account ) and they will be able to look into this further.
Hope this helped, let me know if you have any further input!
Gerald
User logs in via Password Grant (no MFA required at this stage).
When MFA is required, my backend redirects the user to 
The user is expected to complete MFA only, but instead, Auth0 prompts them to log in again before MFA.
How can I ensure that users are NOT required to log in again when triggering Step-Up Authentication via