Mfa API and Logical API - enroll permission

Hi all
I’m currently writing a page in .NET to allow user to Manage their MFA preferences within “My account/My settings” page. I’ve been following this article to achieve that: Manage Authenticator Factors with Auth0 MFA API
I’m using a logical API as described in here: Configure Logical API for Multiple APIs to combine a set of scopes a user can have. Looks like that using logical APIs is a way around to support multiple audiences.
The logical API has all scopes defined in the MFA API Manage article: enroll, read:authenticators, remove:authenticators.
When I start the authorise flow I provide all these scopes: “openid profile email offline_access read:authenticators remove:authenticators enroll” and the audience is: “my-logical-api”.
I’m able to retrieve the list of the authentication methods using {myDomain}/mfa/authenticators. I’m able to delete authenticator using {myDomain}/mfa/authenticators/{authenticatorId}. Also able to start the enrollment via SMS and Email using the API POST {myDomain}/mfa/associate and I do receive the OOB token by SMS/Email.
However when I enter the 6 digits OOB token received via Email or SMS and I POST that to {myDomain}/oauth/token alongside with OOB code and I receive the following error:
{“error”:“invalid_grant”,“error_description”:“invalid audience”}
The “mfa_token” that I’m sending is the same access token that was returned during the authorise flow.
Inspecting this token in jwt.io I have the following values:
“iss”: “my-domain”,
“sub”: “auth0|5f1abe543e64cc003d68a2a5”,
“aud”: [
“my-logical-api”,
“h t t p s://{myDomain}/userinfo”
],
“iat”: 1595593446,
“exp”: 1595600646,
“azp”: “hMir1nWSBaNXkTtuFaZDGXKsEJKFmCJl”,
“scope”: “openid profile email read:authenticators remove:authenticators enroll”,
“permissions”: [
“enroll”,
“enroll:mfa”,
“read:authenticators”,
“read:an-internal-api”,
“remove:authenticators”
]

For sanity check that this isn’t a bug on my side, I’ve temporarily changed the code to request the “{myDomain}/mfa/” audience when starting the authorise flow for the same scopes listed above and, now, with that access token I can enroll on MFA successfully - after receiving the 6-digit code. But that now has broken another permissions/scopes related to the logical API.

Can anyone please shed some light on it?
Many thanks.

We are having the exact same issue, no response from Auth0 Community though… I will reopen this topic on my own, stay tuned and see if we can manage to solve this.

1 Like

Did you guys manage to get forward?

I’m also want to configure MFA from our UI using .net and also dont know how valid audience and scopes not only for MFA but also for our API…

Hi @damikun

Since the post was created, we introduced (in January 2023) new Management API methods for MFA Factors management and they make the whole process quite easy.

The methods are listed in the Management API reference guide under the /users section. They allow you to create, replace, delete, bulk delete and update Factors.

Hey @sylvainf thx for reply…

Nice I already tried this API and create phone auth method but user is not prompted after setup when logging-in using universal UI… Do I need to specially enable that in some user metadata?

And specially for TOTP:
One of argument is Secret… where do I get User Secret? maybe I miss concept but other providers usually generates and store this for you… Or in case of Auth0 is user defined random string ?

You’re right, the Management API Factors are pre-validated.

The secret is usually a 20 bytes string provided by the authenticator App. It’s usually transmitted by the QR code that the user scans rather than entering by hand. So to provide support for totp you would need to build this into your client / app / interface and read this value from the user input (using a QR code library for example), since you as the App owner don’t have access to this info (it’s generated by the Authenticator app)

If you need to use the Auth API (keeping in mind that you don’t need your own interface if you want to let your users enroll to MFA in the New Universal Login), I would refer to the Authentication section of the Auth API reference. I don’t have examples for the Auth API but for the management API the Audience corresponds to the Identifier field when configuring the API in the Auth0 dashboard.

1 Like