Silent Auth with /mfa Audience No Longer Works After Contextual MFA Challenge Enforcement

Overview

This article explains why Silent authentication does not work when requesting an access token using a /mfa audience after enforcing Contextual MFA Challenges. The following error is observed in the logs:

Failed silent authentication—Multifactor authentication required

Applies To

  • Multi-Factor Authentication (MFA)
  • Silent authentication

Cause

Silent authentication does not work when requesting an access token using an a /mfa audience because an MFA challenge is now required.

Solution

The flow must be interactive and the user must pass a challenge to request an access token with the /mfa audience. This is especially relevant where the audience used on the silent auth (/MFA, for example) differs from the audience used on the initial login.

For example, when using some of our SPA SDK’s where previously an application may have been used:

getAccessTokenSilently() to request an access token with an MFA audience

applications will now need to use one of getAccessTokenWithPopup() or loginWithRedirect()

For example:

NOTE: This is untested; please test in a non-production environment.

var accessToken;
try {
  accessToken = await getAccessTokenSilently({ audience: 'http://domain/mfa/' });
} catch (e) {
  if (e.error === 'Multifactor authentication required') {
    accessToken = await getAccessTokenWithPopup({ audience: 'http://domain/mfa/' });  
  } else {
    throw e;
  }
}

For all other access token requests that do not use the /mfa audience, ```getAccessTokenSilently()` `` should be fine to use unless the audience differs and further consent is required.