Auth0 Home Blog Docs

MFA user flow with auth0-spa-js

Implementing the quickstart example with Angular 2+ along with MFA and using the following rule recommended in this topic to enable silent login with MFA.

However when the token expires the user is redirected back to the login screen with the “Last time you logged in with” option, they simply have to click the user displayed to login successfully again. Is there a way to force a full login again with username, password and MFA?

Thanks in advance

Jonny

From latest testing, switching across to the “New Universal Login from Classic” it doesn’t seem to cache the Username/Password, however its not forcing another MFA challenge when the token expires, only on first login.

Ok managed to find a solution to requiring MFA once a user logs in for the first time and when the token expires and skipping MFA on page refreshes (getTokenSilently):

From the sample code (auth.service), i added an acr_values to the login method

login(redirectPath: string = '/') {
  // A desired redirect path can be passed to login method
  // (e.g., from a route guard)
  // Ensure Auth0 client instance exists
  this.auth0Client$.subscribe((client: Auth0Client) => {
    // Call method to log in
    client.loginWithRedirect({
      redirect_uri: `${window.location.origin}`,
      appState: { target: redirectPath },
      acr_values:  'http://schemas.openid.net/pape/policies/2007/06/multi-factor',
    });
  });
}

And then tweaked the Auth0 Rule “Require MFA once per session”

function (user, context, callback) {

  const completedMfa = !!context.authentication.methods.find(
    (method) => method.name === 'mfa'
  );

  // perform MFA if not completed OR if the web app asks for MFA in the authentication request (acr_values)
  if (!completedMfa || context.request.query.acr_values === 'http://schemas.openid.net/pape/policies/2007/06/multi-factor') {
    context.multifactor = {
      provider: 'any',
      allowRememberBrowser: false
     };
  }

  callback(null, user, context);
}

Much appreciated if someone from Auth0 could confirm if this is the recommended way…

Reference for acr_values: https://auth0.com/docs/multifactor-authentication/custom