We are encountering an issue in our mobile application (Exchangapay) related to the refresh token flow. We have implemented silent access token refresh using the refresh_token
grant as per Auth0 guidelines. However, the refresh request is being rejected with a 403 Forbidden status and the following error:
jsonCopyEdit{“error”: “mfa_required”,“error_description”: “Multifactor authentication required”,“mfa_token”: “eyJz… (truncated)” }
Summary of the Issue:
- We are making a POST request to https://exchangapay.us.auth0.com/oauth/token using the
refresh_token
grant type. - The request fails with a
403 Forbidden
andmfa_required
error. - As a result, silent access token renewal is blocked, disrupting the user experience and forcing unnecessary logouts.
Expected Behavior:
- Silent token refresh should succeed as long as the refresh token is valid and the session is active, unless explicitly configured to re-prompt for MFA.
Observations:
- We suspect that MFA enforcement is being triggered during the refresh, possibly due to tenant-level policies or Rules configured in our Auth0 environment.
- While we understand and support secure practices like MFA, we would like guidance on either:
- How to disable MFA enforcement during the refresh token flow, or
- How to handle the MFA flow programmatically in a mobile app using the provided
mfa_token
.
Our Request:
- Could you please confirm if MFA is enforced during the refresh flow in our tenant configuration?
- If it is enforced, is there an option to exempt refresh token grants from this requirement?
- If not, could you guide us with best practices for implementing the MFA challenge and token exchange flow in a React Native app?
- Additionally, any documentation or references for securely managing this MFA-required flow in mobile apps would be appreciated.