I’m trying to enroll a user’s authenticator using the MFA API.
$response = Http::withHeaders([
'Authorization' => 'Bearer ' . $request->mfa_token,
'Content-Type' => 'application/json',
])->post('https:// { MY_DOMAIN } /mfa/associate', [
'authenticator_types' => ['otp'],
]);
According to this, the response should inclueds the recovery_codes
.
However, I’m not seeing any.
{
"authenticator_type": "otp",
"secret": "******",
"barcode_uri": "otpauth://totp/******"
}
I’m using the following method to check if it’s the user’s first authenticator association.
The MFA API is used only when it results in false
.
$get_factor_api = Auth0::management()
->users()
->getAuthenticationMethods(
user: Auth::id(),
);
$get_factor_api_response = json_decode($get_factor_api->getBody()->getContents());
return count($get_factor_api_response) > 0 ? true : false;
( I’m using the laravel-auth0 )
The scopes in the MFA token are openid
, profile
, email
, enroll
and offline_access
.
Is there something wrong?