Problem statement
When utilizing the Flexible Factor Selection feature with Resource Owner Password, we encounter the following error in the tenant logs:
MFA required. The post login MFA commands are not compatible with the non-interactive flows.
The Flexible Factor Selection is triggered by an Action with these two methods:
- api.authentication.challengeWith(factor, options)
- api.authentication.challengeWithAny(factors)
It’s documented here:
Symptoms
Error in tenant logs
type : mfar
description : MFA required. The post login MFA commands are not compatible with the non-interactive flows.
Cause
As per the article, Customize MFA Selection in New Universal Login customization is only available in the New Universal Login Experience.
Solution
Unfortunately, the Flexible Factor Selection feature is not currently available for WS-Fed, SAML, or non-interactive flows (including the ROPG flow).
The workaround is to suppress the MFA for such flows or trigger the normal MFA using Actions, e.g.:
if(event.transaction.protocol === 'oauth2-resource-owner') {
api.multifactor.enable(provider, options)
} else {
api.authentication.challengeWith(factor, options)
}