Problem statement
After enabling the Trust Token Endpoint IP Header setting for an application, the login process is stuck at an “MFA required” stage, even though MFA has not been required before.
Cause
If a tenant is configured to use Adaptive MFA, it’s possible the system is giving a low confidence score after enabling the Trust Token Endpoint IP Header setting and started prompting users for MFA. If this is enabled, the auth0-forwarded-for is set as trusted and used as a source of end user IP information for protection against brute-force attacks on the Token endpoint, however, it can be used in the Adaptive MFA risk assessment.
Solution
This can be tested by switching off Adaptive MFA and testing logins or disabling the Trust Token Endpoint IP Header setting and testing logins. Adaptive MFA can also be customized with Actions to account for an UntrustedIP low confidence assessment.
Related References