"The mfa_token provided is invalid" error when calling MFA API including custom domains

Problem statement

An obtained mfa_token through ROPG cannot be used with the /mfa/authenticators endpoint when using the custom domain for a tenant. The following error is returned:

Response: {
"error": "invalid_grant",
"error_description": "The mfa_token provided is invalid. Try getting a new token."
}

Symptoms

  • mfa_token works with the canonical domain on an endpoint of the MFA API
  • mfa_token does not work with the custom domain on an endpoint of the MFA API by failing with the following error: “The mfa_token provided is invalid.”

Steps to reproduce

  • Obtain a mfa_token through ROPG or any method documented here:
    Authenticate Using the Resource Owner Password Flow with MFA

  • Use the same obtained mfa_token with an endpoint of the MFA API such as the {your_domain}/mfa/authenticators and notice the behavior both with canonical and custom, which can unexpectedly fail with the custom domain.

Solution

we do not have full custom domain support for the MFA functionalities yet. This includes the custom guardian apps as well. As a workaround, please use the canonical domain.