Not able to refresh token if mfa is eanbled (Error: mfa_required)

Hi there

We have enabled multi factor authentication. We are using Authorization Code Flow.
When our angular app uses a refresh token to exchange a new access token, we got an error mfa_required.

{error: “mfa_required”, error_description: “Multifactor authentication required”,…}

We have tried these suggested workaround, they are not working for us.

  1. Use Refresh Tokens
  2. Configure Silent Authentication
  3. Configuring MFA Flow to require MFA once per session with Actions`

The end users have been authenticated with email, password and MFA code when they login, I am not sure that why the token endpoint still requires MFA when we exchange a new access token. Any suggestions or other workaround/solutions? thanks

Cheers
Yanbo

1 Like

Hi there @ydeng welcome to the community!

You may want to look into writing an Action that utilizes the oauth2-refresh-token property listed under event.transaction here:

Some more on what conditional mfa may look like can be found in the following FAQ:

Hope this helps!

1 Like

It doesn’t help at all. Is there an example solution? Why isn’t this in the documentation?

1 Like

Hey there @sarah1!

What is your current set up? Are you using refresh tokens or standard silent auth? I’ve just tested using refresh tokens and our react sdk - Users are not required to challenge mfa again on token refresh. This typically happens (speaking to refresh token exchange in particular) when there is a rule/action enforcing mfa.

The more detail you can provide the better!

1 Like

We’re working with the angular SDK. We’re using MFA on always but with the “require mfa once per session” rule. I have the AuthModule set up with useRefreshTokens = true and the cacheLocation set to localstorage and enabled offline mode in the dashboard.

I guess I’m using silent auth right now? I’m letting universal login handle the login process, but need to make the access token lifetime super short but don’t want the user to have to log in every minute. So I’m hoping to use refresh tokens but can’t due the the request (that gets made correctly) returns with an mfa_required error.

Thanks for the details!

Are you able to locate a refresh token after auth? I assume you are also including the offline_access scope in the authorize request?

Let us know!