Auth0 Home Blog Docs

Lock (v11) checkSession always returns login_required with MFA enabled


With MFA enabled is it possible to refresh the token that is returned by Lock? MFA should work for intial login, but I then want to continue the session based on user activity. This does not seem possible at the moment.


Whenever you refresh a token or call checkSession all the rules will be re-run. So in those scenarios you must bypass the MFA rule. Now here is the problem.

Let’s say you have two applications. If one of those applications requires MFA and the other does not you don’t want to bypass MFA by first logging into the application that does not and the SSO into the second application that does require MFA.

However, if you want to know if the token is being refreshed you can check this:

context.protocol === 'oauth2-refresh-token'

If you want to know if the token is being re-issued via checksession (really this is a call to /authorize?prompt=none&…` you can check this on a rule:

contex.request.query.prompt === 'none'

So in your MFA rule short circuit that rule if any of the conditions above are true. Keep in mind that doing this with the second approach can allow users to bypass MFA in some situations (depending on your use case).