Multi Apps (multiple domains) with MFA enabled

Hello, we are trying to implement one login for multiple apps, all of them written in NodeJS and we are using express-openid-connect, but also have a list of excluded users for e2e purposes.

We have: app1, app2, but we also run the application in localhost, for example: localhost:3000 & localhost:3001, and the e2e@email excluded from MFA.

What we did:

  1. Create 1 regular web app, with all the domains in it (Require Multi-factor Auth is None)
  2. We created one action Post Login with the following code:
...
if (
    event.user.user_metadata &&
    event.user.email &&
    !e2eTestUsers.includes(event.user.email)
  ) {
    api.multifactor.enable('any', { allowRememberBrowser: false })
  }

Steps to reproduce the expected behaviour:

  1. Go to app1 (domain) and we should be redirected to login page.
  2. We enter our username and password + MFA
  3. We visit app2 and we should be able to use it

Actual result:

  • When going to app2 we are redirected to the login page to enter the MFA code.

What are we doing wrong? How can we get this working to avoid having to enter the authenticator code whenever we change the domain?

Thanks!

Hi @ben24,

Welcome to the Auth0 Community!

Thanks for the details.

Post Login Actions runs on every time a user authenticates (including the silent auth that happens during SSO between apps). This means that you are going to see a prompt for MFA every time there is an auth event.

To avoid the second prompt for MFA, you need to add some conditional, whether it is based on time (i.e. storing a timestamp in app_metadata), or type of authentication (this thread might be helpful).

Either way, you are in control of when/how MFA is prompted when you use an Action, so make sure to evaluate whether or not it is securing your app properly.

Hope this helps!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.