"mfa_required" error instead of using refresh token with Actions

Problem statement

We want to use MFA, but the user should not have to enter their MFA every time their session token expires, since we use refresh tokens.

Symptoms

  • “mfa_required” error

Solution:

When enabling MFA with Actions, there is the option to check for Refresh Token usage to skip the MFA prompt. This way, your application will not throw the “mfa_required” error and prompt the user to complete the MFA flow again.

To do so, we recommend that you add a conditional to your MFA Action so that it bypasses the MFA when the refresh token grant is used. You can check for the event.transaction === "oauth2-refresh-token". See below:

exports.onExecutePostLogin = async (event, api) => {
  if (!event.transaction.protocol === “oauth2-refresh-token”){
    api.multifactor.enable(‘any’)
  }
  //else pass since using a refresh token
};

Reference Materials:

2 Likes