I am developing an iPhone application to demonstrate the MFA using sms factor with MFA APIs for POC. I am using the authorisation flow for getting my access token (where I get a authorisation code and redeem it for an access token)earlier to MFA implementation. From the documentation, I found out that I need an MFA_token to work with MFA APIs. I added few changes with my existing authorisation process.
I am getting an MFA Token by doing the following steps:
Added scope enrollread:authenticators to authorisation endpoint( i.e. “https://<my_domain>/authorize”)
Added an audience: https://<my_domain>/mfa to the authorisation endpoint
Then I make a post request to token endpoint with authorization code to get the mfa_token. The only changes I can observe is now the access token(which I presume to be the mfa_token) is in jwt format with expire time 600 sec.
By using this access token(=mfa_token) I built a custom pages for my user for enrollment and challenging the user via sms.
I am able to enroll user, confirm enrollment using this access token. But when I challenge an user using this access token I get the following error after https://YOUR_DOMAIN/mfa/challenge call.
{
“error”: “invalid_grant”,
“error_description”: “Malformed mfa_token”
}
Can anyone please say me where I am going wrong?
Is the access token same as the MFA_Token in my case?
I have the exact same problem.
I’m using the https://YOUR_DOMAIN/mfa audience and enroll read:authenticators scopes and getting the user to log in.
I’m using the access_token returned in the callback as the MFA token (expires in 600 sec) and use it to enroll and list the authenticators - both works.
But using the same MFA token to call the /mfa/challenge endpoint always fails with:
For now I’m by passing this by always enrolling the user again with the same phone number (for SMS) and then verifying it, it “works” but just feels wrong.
I’m using express-oidc-connect middleware in my express application and I’m calling the oidc.login() method, I know it redirects me to /authorize, so I’m guessing I’m not doing ROPG?
After the user is logged in, I’m taking the access_token from the session, which like I mentioned works for enroll & list authenticators calls.
From the application side, I’m using regular web app with POST as the Token Endpoint Authentication Method and passing both client_id and client_secret to the /mfa/challenge call.
I’ve also tried both social login via Google and user-password login, which results in the same error Malformed mfa_token.
It sounds like you don’t have MFA enabled at the tenant level (Dashboard → Security → Multi-factor Auth)? I believe you may need to have this enabled in order to receive an MFA token that can be used at /mfa/challenge . If MFA is enabled and you go to log a user in, you should receive an error like:
Thanks, MFA is enabled.
I’ve also contacted auth0 support via ticket about this, so I’m sharing what I was told.
Basically, it seems that in order to get a void MFA token for /mfa/challenge, we must use ROPG.
The /authorize endpoint with the audience and scopes is not enough, since once I pass the login there, I’m already considered login and have access_token, which allows me to enroll new MFA methods, but cannot be used as MFA token for the /mfa/challenge endpoint.
It seems that to properly use MFA with the universal login, I can only customize the screens within auth0, I cannot implement my own flow in my app and use the API.
