Problem Statement:
How to set up MFA TOTP enrollment with Management API?
Solution:
Please follow the below steps:
1.Get the refresh token
POST https://{YOUR_DOMAIN}/oauth/token
{
"grant_type": "http://auth0.com/oauth/grant-type/password-realm",
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET",
"audience": "YOUR_DOMAIN/mfa/",
"username": "USER_EMAIL OR USERNAME",
"password": "USER_PASSWORD",
"scope": "offline_access",
"realm": "Username-Password-Authentication"
}
Please be noted that the audience has /mfa/ at the end
2.use the refresh token to get a new access_token
curl --request POST \
--url 'https://{YOUR_DOMAIN}/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=refresh_token \
--data 'client_id=YOUR_CLIENT_ID' \
--data client_secret=YOUR_CLIENT_SECRET \
--data refresh_token=YOUR_REFRESH_TOKEN
3.use that access_token to start an enrollment at /mfa/associate
curl --request POST \
--url 'https://{YOUR_DOMAIN}/mfa/associate' \
--header 'authorization: Bearer ACCESS_TOKEN' \
--header 'content-type: application/json' \
--data '{
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET",
"authenticator_types":["otp"],
"oob_channels":"sms",
"phone_number": "+1555123456"
}'
The request will return secrete and barcode_uri. Add an account in Google Authenticator with user email and secrete to get the OTP code.
4.Confirm OTP enrollment with
curl --request POST
–url ‘https://{YOUR_DOMAIN}/oauth/token’
–header ‘content-type: application/x-www-form-urlencoded’
–data grant_type=http://auth0.com/oauth/grant-type/mfa-otp
–data ‘client_id=YOUR_CLIENT_ID’
–data mfa_token=MFA_TOKEN
–data client_secret=YOUR_CLIENT_SECRET
–data otp=USER_OTP_CODE
5.Verify TOTP is added to User settings on the Dashboard.
References:
https://auth0.com/docs/api/authentication?shell#verify-with-recovery-code
How to Enroll a User in Both Google Authenticator and SMS with MFA API