I have been trying to implement a custom MFA workflow in Auth0 using the details described on this page: https://auth0.com/docs/mfa/authenticate-with-ropg-and-mfa/enroll-challenge-sms-voice-authenticators 5
I have successfully enrolled a user for MFA this way.
However, when it comes to the user disabling MFA I’ve run into some issues.
The API attempts to fetch a token and receives a response similar to this:
{
"error": "mfa_required",
"error_description":
"Multifactor authentication required",
"mfa_token": "Fe26...Ha"
}
The API then fetches the enrolled authenticators and gets a similar response similar to this:
[
{
id: 'sms|dev_gH5vQnpT4ijbPLz5',
authenticator_type: 'oob',
active: true,
oob_channel: 'sms',
name: 'XXXXXXXX5635'
},
]
The API then takes the correct ID and the mfa_token from above and requests a challenge as described here: https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-challenge-sms-voice-authenticators.
We’re using these request options:
{
method: 'POST',
url: `https://${config.auth0.domain}/mfa/challenge`,
data: {
client_id: config.auth0.clientId,
client_secret: config.auth0.clientSecret,
challenge_type: 'oob',
authenticator_id: id,
mfa_token: "Fe26...Ha"
}
};
Someone suggested in this thread https://community.auth0.com/t/post-request-to-mfa-challenge-endpoint-returns-unauthorized-error/48577, to add 'Content-Type: application/json’ to the headers, which we are also doing.
We get this error:
{
"error":"server_error",
"error_description":"Unauthorized"
}
Can anyone help?