Overview
This article explains why Silent authentication does not work when requesting an access token using a /mfa audience after enforcing Contextual MFA Challenges. The following error is observed in the logs:
Failed silent authentication—Multifactor authentication required
Applies To
- Multi-Factor Authentication (MFA)
- Silent authentication
Cause
Silent authentication does not work when requesting an access token using an a /mfa audience because an MFA challenge is now required.
Solution
The flow must be interactive and the user must pass a challenge to request an access token with the /mfa audience. This is especially relevant where the audience used on the silent auth (/MFA, for example) differs from the audience used on the initial login.
For example, when using some of our SPA SDK’s where previously an application may have been used:
getAccessTokenSilently() to request an access token with an MFA audience
applications will now need to use one of getAccessTokenWithPopup() or loginWithRedirect()
For example:
NOTE: This is untested; please test in a non-production environment.
var accessToken;
try {
accessToken = await getAccessTokenSilently({ audience: 'http://domain/mfa/' });
} catch (e) {
if (e.error === 'Multifactor authentication required') {
accessToken = await getAccessTokenWithPopup({ audience: 'http://domain/mfa/' });
} else {
throw e;
}
}
For all other access token requests that do not use the /mfa audience, ```getAccessTokenSilently()` `` should be fine to use unless the audience differs and further consent is required.