Problem statement
We want to use MFA, but the user should not have to enter their MFA every time their session token expires, since we use refresh tokens.
Symptoms
-
“mfa_required”error
Solution:
When enabling MFA with Actions, there is the option to check for Refresh Token usage to skip the MFA prompt. This way, your application will not throw the “mfa_required” error and prompt the user to complete the MFA flow again.
To do so, we recommend that you add a conditional to your MFA Action so that it bypasses the MFA when the refresh token grant is used. You can check for the event.transaction === "oauth2-refresh-token". See below:
exports.onExecutePostLogin = async (event, api) => {
if (!event.transaction.protocol === “oauth2-refresh-token”){
api.multifactor.enable(‘any’)
}
//else pass since using a refresh token
};