Issue with Refresh Token Grant Failing Due to mfa_required (403 Forbidden)

We are encountering an issue in our mobile application (Exchangapay) related to the refresh token flow. We have implemented silent access token refresh using the refresh_token grant as per Auth0 guidelines. However, the refresh request is being rejected with a 403 Forbidden status and the following error:

jsonCopyEdit{“error”: “mfa_required”,“error_description”: “Multifactor authentication required”,“mfa_token”: “eyJz… (truncated)” }

Summary of the Issue:

  • We are making a POST request to https://exchangapay.us.auth0.com/oauth/token using the refresh_token grant type.
  • The request fails with a 403 Forbidden and mfa_required error.
  • As a result, silent access token renewal is blocked, disrupting the user experience and forcing unnecessary logouts.

Expected Behavior:

  • Silent token refresh should succeed as long as the refresh token is valid and the session is active, unless explicitly configured to re-prompt for MFA.

Observations:

  • We suspect that MFA enforcement is being triggered during the refresh, possibly due to tenant-level policies or Rules configured in our Auth0 environment.
  • While we understand and support secure practices like MFA, we would like guidance on either:
    1. How to disable MFA enforcement during the refresh token flow, or
    2. How to handle the MFA flow programmatically in a mobile app using the provided mfa_token.

Our Request:

  1. Could you please confirm if MFA is enforced during the refresh flow in our tenant configuration?
  2. If it is enforced, is there an option to exempt refresh token grants from this requirement?
  3. If not, could you guide us with best practices for implementing the MFA challenge and token exchange flow in a React Native app?
  4. Additionally, any documentation or references for securely managing this MFA-required flow in mobile apps would be appreciated.

Hi @exchanga

I believe this community post will be able to answer your questions.

Basically, you would need to set the MFA Policy to None and enforce it using a PostLogin Trigger so that whenever a user authenticates via the oauth2-refresh-token protocol, mfa will not be enabled.

If you have any other questions, let me know!

Kind Regards,
Nik

I’m not clear on this. Could you please explain it in more detail? The community post you provided wasn’t helpful for me. Could you elaborate further?

In case you are using an Auth0 action to enforce MFA for all or certain users, i.e., by using something like api.multifactor.enable(...), api.authentication.challengeWithAny(...), etc. (https://auth0.com/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/post-login-api-object), make sure to not run these actions for refresh token grant, e.g. by doing a simple check:

if (event.transaction.protocol !== "oauth2-refresh-token") {
  api.multifactor.enable(...);
}

Hi again!

Exactly as @mrksbnch has stated and showed via the code, you will need to bypass/enable the MFA whenever the refresh token transaction protocol is used for authentication.

You can read more about that in our documentation.

Kind Regards,
Nik

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.