After seeing your documentation about step-up workflow, I wanted to know if it’s possible to get a MFA token with only an access token.
Typically in my use case:
- App asks an access token with limited scopes, user’s username and password
- Auth0 return access token with the scopes and without MFA token
- App tries to request one of our API routes requiring a specific scope with the access token
- API route return 401 status code with the required scope
Now what I’m looking for is:
- App tries to step-up with only current access token and adding the missing scope
- Auth0 return the MFA token to proceed to MFA workflow
I know that you can get a MFA token when trying to request for an access token with username and password but I want to know if we can avoid to ask again for user’s password when stepping up access token.