Ok managed to find a solution to requiring MFA once a user logs in for the first time and when the token expires and skipping MFA on page refreshes (getTokenSilently):
From the sample code (auth.service), i added an acr_values to the login method
login(redirectPath: string = '/') {
// A desired redirect path can be passed to login method
// (e.g., from a route guard)
// Ensure Auth0 client instance exists
this.auth0Client$.subscribe((client: Auth0Client) => {
// Call method to log in
client.loginWithRedirect({
redirect_uri: `${window.location.origin}`,
appState: { target: redirectPath },
acr_values: 'http://schemas.openid.net/pape/policies/2007/06/multi-factor',
});
});
}
And then tweaked the Auth0 Rule “Require MFA once per session”
function (user, context, callback) {
const completedMfa = !!context.authentication.methods.find(
(method) => method.name === 'mfa'
);
// perform MFA if not completed OR if the web app asks for MFA in the authentication request (acr_values)
if (!completedMfa || context.request.query.acr_values === 'http://schemas.openid.net/pape/policies/2007/06/multi-factor') {
context.multifactor = {
provider: 'any',
allowRememberBrowser: false
};
}
callback(null, user, context);
}
Much appreciated if someone from Auth0 could confirm if this is the recommended way…
Reference for acr_values: Customize Multi-Factor Authentication Pages