I’m trying to implement the rotating refresh token with my single page app using the auth0-spa-js SDK. Everything was working until I enabled MFA for the user I was testing with. Now when it tries to silent auth with the refresh token grant it fails with 403 “Multifactor authentication required”, then falls back on the authorization code grant and authorizes successfully. I was wondering if this is expected behavior because MFA and rotating refresh are incompatible or if I should be looking for issues with my implementation?
Welcome to the Auth0 community!
Have you tried setting
true on your Auth0 client initialization?
Yes. I have the rotating refresh working. The problem happens when I enable multifactor authentication. When I am logged in as a user that is already multifactor authenticated, it tries to silent auth with the refresh token and gets the aforementioned 403, then reattempts the silent auth with the authorization code and succeeds.
After they’ve successfully authenticated via authorization code, does it fail the next time it tries to silently authenticate?
Yes. It tries to use the refresh token again, fails in the same manner, falls back to authorization code, succeeds, and then repeats for every silent authentication until I turn Multifactor authentication off.