MFA Challenge 'server_error' 'Unauthorized'

I have been trying to implement a custom MFA workflow in Auth0 using the details described on this page: https://auth0.com/docs/mfa/authenticate-with-ropg-and-mfa/enroll-challenge-sms-voice-authenticators 5

I have successfully enrolled a user for MFA this way.

However, when it comes to the user disabling MFA I’ve run into some issues.

The API attempts to fetch a token and receives a response similar to this:

{

"error": "mfa_required",

"error_description":

"Multifactor authentication required",

"mfa_token": "Fe26...Ha"

}

The API then fetches the enrolled authenticators and gets a similar response similar to this:

[

{

id: 'sms|dev_gH5vQnpT4ijbPLz5',

authenticator_type: 'oob',

active: true,

oob_channel: 'sms',

name: 'XXXXXXXX5635'

},

]

The API then takes the correct ID and the mfa_token from above and requests a challenge as described here: https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-challenge-sms-voice-authenticators.

We’re using these request options:

{

method: 'POST',

url: `https://${config.auth0.domain}/mfa/challenge`,

data: {

client_id: config.auth0.clientId,

client_secret: config.auth0.clientSecret,

challenge_type: 'oob',

authenticator_id: id,

mfa_token: "Fe26...Ha"

}

};

Someone suggested in this thread https://community.auth0.com/t/post-request-to-mfa-challenge-endpoint-returns-unauthorized-error/48577, to add 'Content-Type: application/json’ to the headers, which we are also doing.

We get this error:

{

"error":"server_error",

"error_description":"Unauthorized"

}

Can anyone help?

1 Like

Would be great if someone could help!

Can anyone help out?

Would be good if someone could help

We’re still struggling with this.

I was receiving this error and the header did the trick

  curl --request POST \
  --url 'https://domain/mfa/challenge' \
  --header 'content-type: application/json' \
  --data '{ "client_id": "client_id",  "client_secret": "client_secret", "challenge_type": "oob", "authenticator_id": "sms|id", "mfa_token": "mfa_token" }'
1 Like

Thank you for sharing this with the rest of community!