MFA Challenge in resource owner flow results in Unauthorized error

Attempting to test the ROPG flow here:https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa

The user in question has MFA OTP enabled, I get to the challenge portion of the docs here: Enroll and Challenge OTP Authenticators

and receive the following:
{

"error": "server_error",

"error_description": "Unauthorized"

}

Grant type MFA is enabled so I’m at a loss on why this error is occurring, any advice would be appreciated!

Hi @daniel.fourman,

Welcome to the Auth0 Community!

Which endpoint is returning that error?

Also, did you see this?

Hi,

It is the /mfa/challenge endpoint for my tenant, yea I added that but still same error.

I am testing this in postman, the other calls are working as expected.

Thanks,
Dan

Can you provide an example of the requests you are making?

https://[DOMAIN].us.auth0.com/mfa/challenge
{

"client_id": "[APPLICATION ID COPIED HERE THAT HAS MFA GRANT ENABLED]",

"challenge_type": "otp",

"mfa_token": "Fe26.2*82dcca*e3dec1b225a482e41df1ff0d3bd56fa250ea8a058cdb1e9801897ae61cf81b2b*nDVcFhFPTZ7LOMdALMgfDQ*GBJWPO2AnMX4mXXwlS72dlQMIqbLvWS4HRp_V_Tu9Q2bjbId3szYKJXrxyyBbr_T-sezRO2Kwj7SdA5jmoNtUceVeNBVZLV8_kw3zEPfHk8b99dtsF4TJ1S4B-nkuGN5qRuGVRmCjuF5TVE518xUX-XnEohXORBkeqAr_pWmggLf_xcxWrDJmefKIkjBcupkzNvrfmyl6mnFiPRjNZa0pMDZblTxGtFQU45YpxqAYn6hqLtt9_HKPjtmUuVApkSZk8F31JOhi7VDIJKBltAIe85V3UFTY-ibcz1TiLaoVrbpzzofmHvJEznCvzjA2Tnt5LAQI6lI_UpFyPo7DobAJXEdYfcGrpxRKxeSru7r_CF9DZDH5i_VjnKSogf0sNtaLdmWLBk9-4xYZ58CL31Xiw-eHOFkFhYk09blXNz943fSOU0q3wfyUEyVkDgMn6VCLQlvLP3Go8Aj_Yg0GCdQA_EPQtccw795V_1UVkn_IaguZb58bq6CZQfUDeq5j3fdoKHI_lhkztzw8rs481uAhR6aTm8vDUTet8YPnPwo4je1YKMblR4afQNSH2IgSmMOMdEBguyDoZ2RnovuCZh0P8UTNJ8dmoK6bq3H_xy2M7drI7cis0qoLWJLXts5F_e0i7GhhXDMmM-dk4WVPutyBwwwhLlwK1kSE-c6THL1BkWbbI75Vz1T9EB4U46LVGMByL5UUf2-vDca9Gne1hILWSls8KWxKSUp1gDkvTu9YvnY3I0tWDud48e2wxxWxKZQvX5JJlabxOGw2Bj_TD5aThK66F53ORzuUcIR4y4xO_kSUm0RepqqFUGvhf_8u6DKcBBdsxTpk90KtlSy8v7aJQJiqs4mu4dalctdteOMR9r3y27JKvFEmtStHUn5i-GNaY76vqpW8BJrW3uC2rtEIBaIgi27EpsnGIvxaZwkSIm1TPInbl6YZFK09FF4RmN8lM_x4nwT8Mm-z9byXATR9SitR--266lmTeAAoLqUzWPcvEA4ZMhlPK6etDfPt7Z-lPhZSFUvnPl-Vi8VsD6LLdmOswFevbxzMxwf0hGsvxnwjTdV0T411E9AHDmhgb7ppO6ZkWhCj4NK1k3__rMJkkpkKq0EJ2Pc6l--wQ1rdKDK8iNWX6RNIu2lh9AxY3_GDl73yQgU0BRwRu9XfBteponS4ZlmTh4gIaaQ1AZaJa4qgSI1iBSvYA_u1GeXxUXhU7c72ur3izWYZ2kKZum8TAbe6bdRv954biSmxHAGrhM*1644325679114*7c55bd3baaf92667fcdeab8424f400541132c5d9f215a82e3ed5341b26737ab3*WWUrPk1WTV0TkShoR8pPjnMEIyQvgwmR1SFNV8OnyFI",

"authenticator_id": "[AUTH ID COPIED HERE FROM PREVIOUS STEP]"

}

Do you have a screenshot or code snippet of the actual request you are making?

edit: Please include header info, method, etc.

Everything looks okay here. Can you please try with cURL using this format:

curl --request POST \
  --url 'https://YOUR_DOMAIN/mfa/challenge' \
  --header 'content-type: application/json' \
  --data '{ "client_id": "YOUR_CLIENT_ID", "challenge_type": "otp", "mfa_token": "MFA_TOKEN", "authenticator_id" : "totp|dev_6NWz8awwC8brh2dN" }'

Sometimes I encounter issues with postman.

As an aside, MFA is a paid service, and it looks like you are on a free account. Just wanted to let you know!

Curl resulted in the same error.
I have a feeling the free account is probably the issue, I thought OTP was part of the free tier, looks like that matches with this description On which tier can I use MFA feature?

Thanks!

I’ll disable it for now, this is a beta app, when we’re ready to release ill upgrade and turn it back on.

Appreciate the help!

1 Like