MFA: Enrolling OTP on NextJS frontend

Hey,

I have a NextJS app that I want to protect via optional OTP that the user can turn on/off if he wants. I already did the following:

1. Enabled OTP in dashboard, but marked Require Multi-factor Auth as “Never”.
2. In my app, I have a page that sets “mfa” key in user_metadata to true/false.
3. Based on the value from #2, I have a onExecutePostLogin action that if mfa = true does api.multifactor.enable(“any”).

So far so good, everything is working perfectly. The thing is I’de like to do the enrolling part in my app, after user is already logged in. I saw these manuals:

https://community.auth0.com/t/how-to-set-up-mfa-totp-enrollment-with-mfa-api/85850
https://community.auth0.com/t/generate-qr-code-for-otp-enrollment/109003

But it’s not clear to me. I don’t hold the username and password of the user, so how can I
send a refresh token request if i don’t have the user credentials?

does is mean i need to force the user to re-login or is there’s another option I don’t think of?

Hey there @yanivs , welcome back!

I don’t hold the username and password of the user, so how can I
send a refresh token request if i don’t have the user credentials?

With the Refresh token grant flow:

-you receive one refresh token once the user authenticated (along with the access and or ID tokens). This refresh token is suppose to be stored in your app memory so you can make use of it whenever its needed (like for example to request new refresh token).

To implement the refresh token grant, there’s a need to add:
1.

scope=offline_access

to the /authorize request (the one that initiates the authentication process) on your app code side.
2. Please enable the Refresh token grant flow for the application (client app) in question in your Auth0 tenant.
3. Please Allow Offline Access for the API in question in your Auth0 tenant, under Access Settings section.

Happy to follow up in case of more questions on this topic!