I’m afraid redirecting twice from rules is unsuported like mentioned in the documentation so if you want consent and custom MFA you would need to somehow handle it with a single redirect only. Technically once you redirect the user to your system, whatever you force them to do before getting back to Auth0 flow is up to you so it does not need to be only one thing, however, the more things need to be done the more complex the custom flow would become.