Thanks for the info. I don’t need to challenge the user for MFA, I need information about the authentication flow that should have already completed.
I had found this other forum post that uses the authentication methods to determine if MFA had been performed. I don’t understand how the authentication methods array sometimes contains MFA and sometimes doesn’t. It also seems like the post-login action gets called during silent authentication or when using a refresh token, so it’s pretty confusing how it really works.
Other recommendations I’ve seen suggest using claims from the ID token, but this won’t work for my use case. I need the claim added to the access token and there doesn’t appear to be any other place aside from the post-login action that lets you add claims to the access token.
It’s a bit misleading to call it a post-login action if it’s actually running in the middle of the authentication flow and you can’t see whether or not MFA was completed.