MFA Failing with Action but not Rule

rogupta · September 22, 2022, 7:26pm

Hello,

I want to add MFA to my application via Actions. Here is my existing code:

exports.onExecutePostLogin = async (event, api) => {

  /* add code to check user_metadata for mfa_enabled. if not there, then 
  look at organizations. when that happens, update user_metadata at the end
  */

  // initialize ManagementClient to access Auth0 Management API
  const { DOMAIN, CLIENT_ID, CLIENT_SECRET } = event.secrets;
  const ManagementClient = require('auth0').ManagementClient;
  const management = new ManagementClient({
      domain: DOMAIN,
      clientId: CLIENT_ID,
      clientSecret: CLIENT_SECRET,
  });

  const orgs = await management.users.getUserOrganizations({ id: event.user.user_id }).catch((err) => {
    console.log(err);
  })
  

  for (const org of orgs) {
    if (org.metadata && org.metadata.mfa_enabled === 'true') {
      api.multifactor.enable("any");
      break;
    }
  }
 
};

The MFA prompt is triggered, but the user is not logged in when being redirected back to the application page.
A log event of type “Failed Silent Auth” with description “Multifactor authentication required” always appears.

Update:

Interestingly, we are able to get MFA working with Rules with the following code:

function requireMfaEnrollment(user, context, callback) {
  
  
  // in case of samlp , auth0 is  just a service provider (not identity). So skip
  if(context.protocol === 'samlp') {
     console.log('SKIP MFA');
      context.multifactor = {
        provider: 'none'
      }; 
    callback(null, user, context);
    return ;
  }
			
  console.log(user);
  
  if(user.user_metadata && user.user_metadata.mfa_enabled &&  user.user_metadata.mfa_enabled === 'true' || (context.organization && context.organization.metadata.mfa_enabled && context.organization.metadata.mfa_enabled === 'true')) {
      console.log("mfa enabled for user");
      const completedMfa = !!context.authentication.methods.find(
      (method) => method.name === 'mfa'
    );
   
    if (completedMfa) {
      console.log("user completed mfa");
      return callback(null, user, context);
    }
   
    context.multifactor = {
      provider: 'any',
      allowRememberBrowser: false
    };
    callback(null, user, context);

  }

  callback(null, user, context);
}

However, we would still like to implement with Actions instead of Rules.

Even a simple action that triggers MFA and does nothing else (as shown below) fails:

exports.onExecutePostLogin = async (event, api) => {
  api.multifactor.enable("any");
  return;
}

I would appreciate help with this. Thank you in advance!

rogupta · September 29, 2022, 3:51pm

The key difference lies in the line above. In the Action, we were not checking this value, while in the Rule, we were.

system · January 8, 2024, 8:49am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.