How to verify if TOTP code is correct in code?

Hi, we have a case where we need to ask user for additional verification to perform some sensitive tasks on our api. Users have set-up 2fa totp, and they would send this code on api call. How do we actually verify if this code is valid at the time for the given user? I haven’t found anything like this in mgmt api. Is there a specific api for this? This is crucial for us. And example in curl would suffice, but would be ideal with dotnet.

Hi @romko , welcome to Auth0!

If your users are enrolled to MFA, you can set your app to prompt them to authenticate again when they want to enter your API. So basically, even if they have already been logged in, repeat the authentication for them if they are invoking your API. This way you are sure that only users that are double checked at a given moment in time are entering your API.

The final verification of the OTP happens against the Auth0 Authentication API so you do not need to validate it yourself.

I do not know the .NET snipped for that, but found a sample CURL of the final OPT verification resulting in receiving new access and id tokens in case of a Resource Owner Passwords flow.

curl --request POST \
  --url 'https://{yourDomain}/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type= \
  --data 'client_id={yourClientId}' \
  --data 'client_secret={yourClientSecret}' \
  --data 'mfa_token={mfaToken}' \
  --data 'otp={userOtpCode}'

Hope this helps and please let me know any questions!

1 Like

Hi @marcelina.barycka, thanks for your reply.
I do have more questions though:

  1. Is this a step-up authentication (could be found in auth0 docs) flow that you’re suggesting, or something else?
  2. And about this second authentication prompt, will the user have to enter his email and password again, + totp? Or I can redirect straight to totp?

p.s. we have asp net core web api as a back-end but out fron-end in reactjs spa.

Hi @romko !

Thanks for you patience.

I referred to the /authorize request being sent when users log in or call the protected API endpoints.

If they are already logged in they would be challenged to provide the OPT.

For the single page application scenario, there is a step-up authentication doc that approach the problem with Actions that challenge with OPT when a SPA app requests the specific sensitive API scope using event.transaction.requested_scopes.indexOf('sensitive_scope')

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.