Auth0 Home Blog Docs

MFA - please repeat the request in a few seconds

auth0

#1

Hello Guys’
I am trying to make a POC with the two factors authentication with the Auth0 PUSH method.
The problem is (I think) that I never receive that push, so my application is going in an infinite loop of :“error_description”:"Authorization pending: please repeat the request in a few seconds.

Basically what I am doing is :

– Try to make a user grant password and it got denied with the error : mfa_required which is normal and I receive a mfa_token.
– I am sending a query to /mfa/associate with the auth0 value : authenticator_types": [“oob”],“oob_channels”: [“auth0”]}’

– Now I receive an OOB_Token and I use it to do the /mfa/challenge call ( mfa_token + oob_token).

And finally , I receive the answer : Authorization pending: please repeat the request in a few seconds.And it’s an infinite loop of doom.

Can someone help me on that, I must have not understand clearly what to do … and can’t get it …
Here is the python code that I have made to make the POC :

def do_user_auth(self,username,password):
	print("--------- DO USER AUTH -----")
	scopes = "openid openid profile read:authenticators email address phone perm_clause_view perm_clause_create perm_clause_edit perm_clause_publish"
	headers = {"Content-Type": "application/json","Accept": "text/plain"}
	data = '{"grant_type":"password","scope":"'+scopes+'","client_secret":"'+self.AUTH_CLIENT_SECRET+'","client_id":"'+self.AUTH_CLIENT_ID+'","username":"'+username+'","password":"'+password+'"}'
	r = requests.post("https://"+self.AUTH_DOMAIN+"/oauth/token", data=data,headers=headers)	
	answer = json.loads(r.content)
	print(r.content)
	if "error" in answer:
		if answer["error"] == 'mfa_required':
			oob_code = self.associate_application_post(answer["mfa_token"])
			self.do_two_factor_auth_call(answer["mfa_token"],oob_code)
	
def do_two_factor_auth_call(self,a_mfa_token,a_otp_code):
	print("--------- DO TWO FACTOR CALL AUTH -----")
	data = '{"client_secret":"'+self.AUTH_CLIENT_SECRET+'","client_id":"'+self.AUTH_CLIENT_ID+'","mfa_token": "'+a_mfa_token+'","grant_type": "http://auth0.com/oauth/grant-type/mfa-oob","oob_code": "'+a_otp_code+'","binding_code": "000000"}'
	headers = {"Content-Type": "application/json","Accept": "text/plain"}
	r = requests.post("https://"+self.AUTH_DOMAIN+"/oauth/token", data=data,headers=headers)
	print(r.content)
	decoded = r.content.decode('utf-8')
	if "error" in decoded and "authorization_pending" in decoded:
		print("waiting some seconds")
		time.sleep(15) 
		self.do_two_factor_auth_call(a_mfa_token,a_otp_code)
	

def associate_application_post(self,a_mfa_token):
	print("--------- DO ASSOCIATE CALL AUTH -----")
	headers = {"Content-Type": "application/json","Accept": "text/plain","Authorization":"Bearer "+a_mfa_token}
	data = '{"client_secret":"'+self.AUTH_CLIENT_SECRET+'","client_id":"'+self.AUTH_CLIENT_ID+'","authenticator_types": ["oob"],"oob_channels": ["auth0"]}'
	r = requests.post("https://"+self.AUTH_DOMAIN+"/mfa/associate", data=data,headers=headers)
	print(r.content)
	answer = json.loads(r.content)
	return answer["oob_code"]

Cheers,


#2

No body can help me with that ?


#3

Can you recieve the MFA push if using Guardian instead of your custom application? Furthermore, what do the logs say in https://manage.auth0.com/#/logs you should have information regarding the failure if Auth0 failed to send a push.


#4

Well, when I am authenticated myself within the console it works, but not with my code. In the logs I have only this. It’s like the enrolment process is never get done. When I receive the enrolment token, I have this in the response :

b’{“oob_code”:"Fe26.2**54d58d4eacbcf54e2472e753e87576388988a344ab08e5bb2f1702d1eee0a4a3oAR7-5sKyNA-h0KiMp5_AAyNRUHZKsA_tX4ctI1vc0yRey0ZHHdlJ5ZpNtkfa_xGoENvL2M6mGSE64RFYJAu5cFaPS_QqgXe6sdFIyXkvViZ0z5-7l4PQILSfOCwI_j0INg4ASwOn5wmhXcjcHsU7iFO9Ko147iB_oJHtYbGf2nbVgJhBuB-ByDimsmUWmoromyXnDvGdazITPK8_CJqus80ycH9Sl7A15mU4XCPHmaUI8z60fN0wlpUD-QyOeJJvN-jpcOUAn6ndN0lGN_hTFVERDJ4yXWLDyRohTK6ihPQOstOlj0QWUXRRJXi6tXjsGxrLTzTEk3o4Ehcq_tZ2yFj7w88d2IlPuUhfKDh1OQim3VUvCq7ES_S15UtM9fvTxLw4-174sL1j9NnwbiXud15289011820518eeaaac619c0fc10accb689a4a4abbaa5bdf4dc98d28cd23092ea10f904aaa3a*mS_lmrC4cYBMjKJEFGcu72zuAnUanVVhCcIaBplUh0s",“barcode_uri”:"otpauth://totp/thinking-capital:cleclerc%40thinkingcapital.ca?enrollment_tx_id=GB06kUoVmvkXNEqHNSU8cbxJE9U67N66&base_url=https%3A%2F%2FURL.guardian.auth0.com",“authenticator_type”:“oob”,“oob_channel”:“auth0”}'

Do I need to forward the user on that page or something ?

{
“date”: “2018-06-13T14:36:22.052Z”,
“type”: “gd_start_enroll”,
“description”: “Guardian - Enrollment started (push)”,
“ip”: “35.167.74.121”,
“user_agent”: “python-requests/2.18.4”,
“details”: {
“request”: {
“method”: “POST”,
“path”: “/api/tenants/URL/users/auth0%7C5ac6beb6a33e56128a53e434/authenticators”,
“query”: {},
“userAgent”: “python-requests/2.18.4”,
“body”: {
“type”: “push”,
“verifier”: “TC”
},
“ip”: “35.167.74.121”,
“auth”: {
“strategy”: “jwt_api2_internal_token”,
“scopes”: [
“read:authenticators”,
“create:authenticators”,
“verify:authenticator”
]
}
},
“response”: {
“body”: {}
},
“authenticator”: {
“id”: “push|dev_1rW3t7yfpAsbC8Rq”,
“type”: “push”
}
},
“user_id”: “auth0|5ac6beb6a33e56128a53e434”,
“log_id”: “90020180613143622052992777279804446710967615626655301714”
}


#5

Anything to help me on that ?