Auth0 Home Blog Docs

SMS MFA challenge returning unauthorized




I am attempting to use SMS MFA with a machine to machine application. We already have configured SMS MFA correctly for a regular web application, but I seem to be getting stuck.

First, I’m making a POST to https://<MY_AUTH0_BASE>/oauth/token with request body:

	"username": "",
	"password": "passwordpassword",
	"client_id": "clientidclientid", 
	"client_secret": "secretsecret", 
	"realm": "this-is-my-realm",
	"audience": "this-is-my-audience"

this returns, as expected, a 401 with response body:

    "error": "mfa_required",
    "error_description": "Multifactor authentication required",
    "mfa_token": "mfatokenmfatoken"

then I make another POST to https://<MY_AUTH0_BASE>/mfa/challenge with the body:


but this returns a 401 with response body:

    "error": "server_error",
    "error_description": "Unauthorized"

The original user is configured with SMS MFA correctly (i.e., the same login info works in the regular web application). I also don’t see anything in the Auth0 logs indicating that anything is incorrect. Any thoughts on what I’m doing wrong?


Fixed formatting in original post.


Anyone have thoughts on what I’m doing wrong? This is becoming a bit of a blocker for me unfortunately.