Hi all
I’m currently writing a page in .NET to allow user to Manage their MFA preferences within “My account/My settings” page. I’ve been following this article to achieve that: Manage Authenticator Factors with Auth0 MFA API
I’m using a logical API as described in here: Configure Logical API for Multiple APIs to combine a set of scopes a user can have. Looks like that using logical APIs is a way around to support multiple audiences.
The logical API has all scopes defined in the MFA API Manage article: enroll, read:authenticators, remove:authenticators.
When I start the authorise flow I provide all these scopes: “openid profile email offline_access read:authenticators remove:authenticators enroll” and the audience is: “my-logical-api”.
I’m able to retrieve the list of the authentication methods using {myDomain}/mfa/authenticators. I’m able to delete authenticator using {myDomain}/mfa/authenticators/{authenticatorId}. Also able to start the enrollment via SMS and Email using the API POST {myDomain}/mfa/associate and I do receive the OOB token by SMS/Email.
However when I enter the 6 digits OOB token received via Email or SMS and I POST that to {myDomain}/oauth/token alongside with OOB code and I receive the following error:
{“error”:“invalid_grant”,“error_description”:“invalid audience”}
The “mfa_token” that I’m sending is the same access token that was returned during the authorise flow.
Inspecting this token in jwt.io I have the following values:
“iss”: “my-domain”,
“sub”: “auth0|5f1abe543e64cc003d68a2a5”,
“aud”: [
“my-logical-api”,
“h t t p s://{myDomain}/userinfo”
],
“iat”: 1595593446,
“exp”: 1595600646,
“azp”: “hMir1nWSBaNXkTtuFaZDGXKsEJKFmCJl”,
“scope”: “openid profile email read:authenticators remove:authenticators enroll”,
“permissions”: [
“enroll”,
“enroll:mfa”,
“read:authenticators”,
“read:an-internal-api”,
“remove:authenticators”
]
For sanity check that this isn’t a bug on my side, I’ve temporarily changed the code to request the “{myDomain}/mfa/” audience when starting the authorise flow for the same scopes listed above and, now, with that access token I can enroll on MFA successfully - after receiving the 6-digit code. But that now has broken another permissions/scopes related to the logical API.
Can anyone please shed some light on it?
Many thanks.