I’ve created a web app using NextJS with Next-Auth and Auth0. The authentication itself works perfectly fine. Although we want to enable the user to preform a “risky” action.
To enable the risk action we created an extra permission in the Auth0 dashboard in
Applications > APIs > "Our API > Permissions. When the user want to preform this action, we want to generate another (new) access token containing the correct scope.
This will start the following flow:
- User enter password and OTP with “risky” scope
- Do an
- Returned error:
"error_description": "Multifactor authentication required"
- Fetch authenticators and challenge OTP authenticator with MFA token
The issue is that in step 1 we ask for a token with a certain scope. But as soon as we do the OTP challenge, the scope is forgotten and the default scope is returned:
scope: 'openid profile email address phone'.
So I got two questions:
- Is it possible to persist the scopes between the first (
grant_type: 'password') and the last (
grant_type: 'http://auth0.com/oauth/grant-type/mfa-otp') calls to
- Is it possible to request a token with different scope ONLY using the otp challenge? To preform a risky action the user now has to both enter the password and later the otp, this seems like overcomplex behaviour to get a new scope. What am I missing?