Auth0 Home Blog Docs

MFA per application/API

Trying to set up MFA rules per API. Have two API’s console and account.

  • Console is used by a SPA and uses silent auth, token expires 10 mins.
  • Account is also used by a SPA and does not use silent auth token expires after 10mins. Requires MFA to be entered each time the SPA is accessed.

MFA is enabled by default for all applications/apis

Currently have the following rule

function (user, context, callback) {

const excludedAPIS = [“account”];

const audience = context.request.body.audience;

const completedMfa = !!context.authentication.methods.find(
(method) => method.name === ‘mfa’
);

if (completedMfa && excludedAPIS.includes(audience) === false) {
return callback(null, user, context);
}

context.multifactor = {
provider: ‘any’,
allowRememberBrowser: false
};

callback(null, user, context);
}

Issue is every time some one goes to the accounts SPA with the dashboard open in breaks the silent auth of the console SPA. It like resets the MFA session.

Any ideas?

If you haven’t done so already you should instrument that rule code with console.log statements and then use the Webtask Real-time log extension to see the relevant output. Of particular interest would be to confirm the exact doe path taken by the rule in each execution and why, for example, for if statements that check multiple conditions it would be relevant to output each individual result (the MFA completed boolean and the API check boolean.

Here is a transaction log,

console login
12:48:01 PM:
completedMfa false
Needs MFA All the time: false
no MFA set

account login
12:48:36 PM:
new webtask request 1554810516376.191746
12:48:36 PM:
completedMfa: true
Needs MFA All the time: true
MFA set but requires MFA all time
12:48:36 PM:
finished webtask request 1554810516376.191746 with HTTP 200 in 133ms

console slient auth

finished webtask request 1554810796535.244757 with HTTP 200 in 8ms
12:53:16 PM:
new webtask request 1554810796676.39194
12:53:16 PM:
completedMfa: true
Needs MFA All the time: false
Calling callback MFA is completed and only requires mfa once. “< - asks the user again for mfa”
12:53:16 PM:
finished webtask request 1554810796676.39194 with HTTP 200 in 7ms


Thanks for doing this initial troubleshooting step; from my understanding of the results the rule logic is returning correct results which mean it returns early without setting the MFA trigger. If you got to the MFA section of your dashboard what’s the value you have for _ Always require Multi-factor Authentication_ toggle and also which factors you have enabled?

In addition to sharing the above, an HTTP trace (HAR) of the full flow across the multiple applications would be useful, although in order to share it publicly you would need to first redact any sensitive information like passwords, session cookie values, etc.

Ideally you should redact these by consistently replacing the same original value by the same redacted value.

Only have google auth enabled at the moment, the Always require Multi-factor Authentication toggle is on. As we want it on all apps by default, but have requirements for special cases per app.

Like mentioned above:

console only needs MFA once per login
account need MFA each time

When check session is called by auth.js the following is returned:
Have check session res {error: “login_required”, error_description: “Multifactor authentication required”}

auth.js config

{
“clientID”: “something”,
“connection”: “something”,
“domain”: “something.eu.auth0.com”,
“responseType”: “token id_token”,
“audience”: “https://something.io”,
“redirectUri”: “https://something.io/authorize”,
“scope”: “”
}

at the moment trying to remove sensitive data out of the HAR

I confess I haven’t yet done much tests with that toggle enabled, but my expectation would be that if that toggle is enabled then MFA will be required independently of rules. In other words, if rules do not trigger MFA then it will be triggered by the toggle.

I may be able to check the above assumption later today or tomorrow, but I think that in order to meet that requirement of having an application with different MFA requirements then you’ll need to use rules for all of them and disable the toggle.