Hi @viktor_i
Thank you for providing that info.
I believe that the refresh tokens might be causing the issue at hand.
Since a new refresh token might be provided to the user whenever they log in, it is triggering the mfa.
You could try adding the following code to your PostLogin action to bypass it for the users:
exports.onExecutePostLogin = async (event, api) => {
// This action will allow you to bypass the MFA logic for the refresh token exchange flow.
if (event.transaction.protocol === "oauth2-refresh-token") {
return;
}
// Add your MFA logic
// For example: api.multifactor.enable("any");
};
Let me know if that helps!
Kind Regards,
Nik