Malformed mfa_token message when trying to challenge an user with MFA

I am developing an iPhone application to demonstrate the MFA using sms factor with MFA APIs for POC. I am using the authorisation flow for getting my access token (where I get a authorisation code and redeem it for an access token)earlier to MFA implementation. From the documentation, I found out that I need an MFA_token to work with MFA APIs. I added few changes with my existing authorisation process.

I am getting an MFA Token by doing the following steps:

  1. Added scope enroll read:authenticators to authorisation endpoint( i.e. “https://<my_domain>/authorize”)
  2. Added an audience: https://<my_domain>/mfa to the authorisation endpoint
    Then I make a post request to token endpoint with authorization code to get the mfa_token. The only changes I can observe is now the access token(which I presume to be the mfa_token) is in jwt format with expire time 600 sec.

By using this access token(=mfa_token) I built a custom pages for my user for enrollment and challenging the user via sms.
I am able to enroll user, confirm enrollment using this access token. But when I challenge an user using this access token I get the following error after https://YOUR_DOMAIN/mfa/challenge call.
“error”: “invalid_grant”,
“error_description”: “Malformed mfa_token”

Can anyone please say me where I am going wrong?
Is the access token same as the MFA_Token in my case?

Thanks in Advance!

1 Like

Hi, just wondering if you got anywhere with this issue? I am experiencing the exact same thing you have detailed above.

Thanks in advance.

Hi, I’ve been having the same issue with the same error response. The associate and confirm MFA endpoints are working but the challenge does not.

Auth0 team, please reply on this topic.


Anyone have any idea about this, I am getting same issue.

I am also stuck on this step. Have 3 factors set as active, but can’t get passed issuing a challenge:

  • What audience and scope is required for the MFA token for this endpoint: /mfa/challenge

I have the exact same problem.
I’m using the https://YOUR_DOMAIN/mfa audience and enroll read:authenticators scopes and getting the user to log in.
I’m using the access_token returned in the callback as the MFA token (expires in 600 sec) and use it to enroll and list the authenticators - both works.
But using the same MFA token to call the /mfa/challenge endpoint always fails with:

“error”: “invalid_grant”,
“error_description”: “Malformed mfa_token”

For now I’m by passing this by always enrolling the user again with the same phone number (for SMS) and then verifying it, it “works” but just feels wrong.

Any help would be appreciated!

Hello @ron_runviably thanks for the detailed description and welcome to the community!

I’d be curious to know how exactly you are authorizing the user here - Are you using ROPG or a call to /authorize?

Let us know!

Hi @tyf and thanks for the reply.

I’m using express-oidc-connect middleware in my express application and I’m calling the oidc.login() method, I know it redirects me to /authorize, so I’m guessing I’m not doing ROPG?
After the user is logged in, I’m taking the access_token from the session, which like I mentioned works for enroll & list authenticators calls.

From the application side, I’m using regular web app with POST as the Token Endpoint Authentication Method and passing both client_id and client_secret to the /mfa/challenge call.

I’ve also tried both social login via Google and user-password login, which results in the same error Malformed mfa_token.

Thanks for all the info!

It sounds like you don’t have MFA enabled at the tenant level (Dashboard → Security → Multi-factor Auth)? I believe you may need to have this enabled in order to receive an MFA token that can be used at /mfa/challenge . If MFA is enabled and you go to log a user in, you should receive an error like:

    "error": "mfa_required",
    "error_description": "Multifactor authentication required",
    "mfa_token": "Fe26...Ha"

This token should work to challenge. You could also try adding https://YOUR_DOMAIN/mfa/ as an audience, but I am not positive that will work either.

Thanks, MFA is enabled.
I’ve also contacted auth0 support via ticket about this, so I’m sharing what I was told.

Basically, it seems that in order to get a void MFA token for /mfa/challenge, we must use ROPG.

The /authorize endpoint with the audience and scopes is not enough, since once I pass the login there, I’m already considered login and have access_token, which allows me to enroll new MFA methods, but cannot be used as MFA token for the /mfa/challenge endpoint.

It seems that to properly use MFA with the universal login, I can only customize the screens within auth0, I cannot implement my own flow in my app and use the API.

1 Like

Thanks a bunch for following up on this and sharing with the community! :smile:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.