Auth0 Home Blog Docs

SMS MFA challenge returning unauthorized

sms
#1

Hello,

I am attempting to use SMS MFA with a machine to machine application. We already have configured SMS MFA correctly for a regular web application, but I seem to be getting stuck.

First, I’m making a POST to https://<MY_AUTH0_BASE>/oauth/token with request body:

{
	"grant_type":"http://auth0.com/oauth/grant-type/password-realm",
	"username": "user@email.com",
	"password": "passwordpassword",
	"client_id": "clientidclientid", 
	"client_secret": "secretsecret", 
	"realm": "this-is-my-realm",
	"audience": "this-is-my-audience"
}

this returns, as expected, a 401 with response body:

{
    "error": "mfa_required",
    "error_description": "Multifactor authentication required",
    "mfa_token": "mfatokenmfatoken"
}

then I make another POST to https://<MY_AUTH0_BASE>/mfa/challenge with the body:

{
	"client_id":"clientidclientid",
	"challenge_type":"oob",
	"authenticator_id":"sms",
	"mfa_token":"mfatokenmfatoken"
}

but this returns a 401 with response body:

{
    "error": "server_error",
    "error_description": "Unauthorized"
}

The original user is configured with SMS MFA correctly (i.e., the same login info works in the regular web application). I also don’t see anything in the Auth0 logs indicating that anything is incorrect. Any thoughts on what I’m doing wrong?

1 Like
#2

Fixed formatting in original post.

#3

Anyone have thoughts on what I’m doing wrong? This is becoming a bit of a blocker for me unfortunately.

#4

Hi,

I am facing the same issue using Google Authenticator.
POST /mfa/challenge returns
{
“error”: “server_error”,
“error_description”: “Unauthorized”
}

Best,
Radu