oAuth/token API with MFA challenge via OTP doesn't remember scopes

, ,

Hi there,

I’ve created a web app using NextJS with Next-Auth and Auth0. The authentication itself works perfectly fine. Although we want to enable the user to preform a “risky” action.

To enable the risk action we created an extra permission in the Auth0 dashboard in Applications > APIs > "Our API > Permissions. When the user want to preform this action, we want to generate another (new) access token containing the correct scope.

I found the “Authenticate Using the Resource Owner Password Flow with MFA” flow in the documentation to generate a new access token.

This will start the following flow:

  1. User enter password and OTP with “risky” scope
  2. Do an oauth/token call with grant_type: password
  3. Returned error: "error_description": "Multifactor authentication required"
  4. Fetch authenticators and challenge OTP authenticator with MFA token

The issue is that in step 1 we ask for a token with a certain scope. But as soon as we do the OTP challenge, the scope is forgotten and the default scope is returned: scope: 'openid profile email address phone'.

As seen in this API docs, it is not possible to sent a scope to the OTP request..

So I got two questions:

  • Is it possible to persist the scopes between the first (grant_type: 'password') and the last (grant_type: 'http://auth0.com/oauth/grant-type/mfa-otp') calls to oauth/token?
  • Is it possible to request a token with different scope ONLY using the otp challenge? To preform a risky action the user now has to both enter the password and later the otp, this seems like overcomplex behaviour to get a new scope. What am I missing?