Step-up authentication redirecting to login page

Help
1

I am trying to implment step-up authentication using actions. I created a rule that has the following code

function guardianMultifactorStepUpAuthentication(user, context, callback) {
  const isMfa =
    context.request.query.acr_values ===
    'http://schemas.openid.net/pape/policies/2007/06/multi-factor';
  if (isMfa) {
    context.multifactor = {
      provider: 'any',
      allowRememberBrowser: false
    };
  }

  callback(null, user, context);
}

My frontend uses auth0-js library and when I call .authorize method with acr_values as http://schemas.openid.net/pape/policies/2007/06/multi-factor, it takes me to the login page. In my local environment, it takes me to directly to mfa-challenge page where I could enter the OTP and it would redirect back to my application. But in my production environment, it is taking me to the login page instead of taking me to mfa-challenge page. This is bad because user had already logged in using a password and now it’s taking the user back to login page instead of taking to the MFA challenge page directly. Any way I can directly go to the MFA challenge page for Step-Up authentication?
Thanks

2

If you’re not being to the MFA page in the production environment this could be due to several things. Some things to check:

  • confirm if the tenant session session timeout in production is equivalent to development. If the production tenant has a really short session timeout this could be expiring between the user authenticated and you perform the step-up request.
  • confirm that the authorization request is done in the same exact condition. Technically, it’s possible to force the login page to be shown even if an authenticated session already exists. For example, with prompt=login so this would always trigger the login page to be shown.
  • check that overall tenant and client configuration is equivalent. For example, at the tenant level check that both tenants have the same configuration for seamless sso and universal login experiences. At the client level check that both clients have the same configuration options set.

Finally, if still not working you should compare step-by-step the HTTP network trace (browser dev tools) of the login attempt in both environment in order to see if you notice any differences.

1 Like