The end users have been authenticated with email, password and MFA code when they login, I am not sure that why the token endpoint still requires MFA when we exchange a new access token. Any suggestions or other workaround/solutions? thanks
What is your current set up? Are you using refresh tokens or standard silent auth? I’ve just tested using refresh tokens and our react sdk - Users are not required to challenge mfa again on token refresh. This typically happens (speaking to refresh token exchange in particular) when there is a rule/action enforcing mfa.
We’re working with the angular SDK. We’re using MFA on always but with the “require mfa once per session” rule. I have the AuthModule set up with useRefreshTokens = true and the cacheLocation set to localstorage and enabled offline mode in the dashboard.
I guess I’m using silent auth right now? I’m letting universal login handle the login process, but need to make the access token lifetime super short but don’t want the user to have to log in every minute. So I’m hoping to use refresh tokens but can’t due the the request (that gets made correctly) returns with an mfa_required error.