Step-up authentication redirecting to login page

sulav · July 26, 2022, 7:57am

I am trying to implment step-up authentication using actions. I created a rule that has the following code

function guardianMultifactorStepUpAuthentication(user, context, callback) {
  const isMfa =
    context.request.query.acr_values ===
    'http://schemas.openid.net/pape/policies/2007/06/multi-factor';
  if (isMfa) {
    context.multifactor = {
      provider: 'any',
      allowRememberBrowser: false
    };
  }

  callback(null, user, context);
}

My frontend uses auth0-js library and when I call .authorize method with acr_values as http://schemas.openid.net/pape/policies/2007/06/multi-factor, it takes me to the login page. In my local environment, it takes me to directly to mfa-challenge page where I could enter the OTP and it would redirect back to my application. But in my production environment, it is taking me to the login page instead of taking me to mfa-challenge page. This is bad because user had already logged in using a password and now it’s taking the user back to login page instead of taking to the MFA challenge page directly. Any way I can directly go to the MFA challenge page for Step-Up authentication?
Thanks

jmangelo · July 29, 2022, 8:52am

If you’re not being to the MFA page in the production environment this could be due to several things. Some things to check:

confirm if the tenant session session timeout in production is equivalent to development. If the production tenant has a really short session timeout this could be expiring between the user authenticated and you perform the step-up request.
confirm that the authorization request is done in the same exact condition. Technically, it’s possible to force the login page to be shown even if an authenticated session already exists. For example, with prompt=login so this would always trigger the login page to be shown.
check that overall tenant and client configuration is equivalent. For example, at the tenant level check that both tenants have the same configuration for seamless sso and universal login experiences. At the client level check that both clients have the same configuration options set.

Finally, if still not working you should compare step-by-step the HTTP network trace (browser dev tools) of the login attempt in both environment in order to see if you notice any differences.

Topic		Replies	Views
Step up authentication not working Help mfa , push-via-auth0-guardian-factor	2	2244	December 21, 2022
Is it possible to use Step-Up Authentication with Universal Login? Help step-up , universal-login	3	3147	October 1, 2021
Challenge the User for MFA before a redirection in Actions Knowledge Articles actions , mfa-enablement , forms	1	7	November 1, 2024
Post-login action and MFA Help mfa , mfa-prompt-new-experience	3	443	May 24, 2024
Can we use context.redirect after context.multifactor? Help mfa , mfa-api	0	984	April 27, 2023

Step-up authentication redirecting to login page

Related Topics