Hello,
I am attempting to use SMS MFA with a machine to machine application. We already have configured SMS MFA correctly for a regular web application, but I seem to be getting stuck.
First, I’m making a POST
to https://<MY_AUTH0_BASE>/oauth/token
with request body:
{
"grant_type":"http://auth0.com/oauth/grant-type/password-realm",
"username": "user@email.com",
"password": "passwordpassword",
"client_id": "clientidclientid",
"client_secret": "secretsecret",
"realm": "this-is-my-realm",
"audience": "this-is-my-audience"
}
this returns, as expected, a 401
with response body:
{
"error": "mfa_required",
"error_description": "Multifactor authentication required",
"mfa_token": "mfatokenmfatoken"
}
then I make another POST
to https://<MY_AUTH0_BASE>/mfa/challenge
with the body:
{
"client_id":"clientidclientid",
"challenge_type":"oob",
"authenticator_id":"sms",
"mfa_token":"mfatokenmfatoken"
}
but this returns a 401
with response body:
{
"error": "server_error",
"error_description": "Unauthorized"
}
The original user is configured with SMS MFA correctly (i.e., the same login info works in the regular web application). I also don’t see anything in the Auth0 logs indicating that anything is incorrect. Any thoughts on what I’m doing wrong?