Problem statement
An obtained mfa_token through ROPG, as documented in Authenticate Using the Resource Owner Password Flow with MFA, cannot be used with the /mfa/authenticators endpoint when using the custom domain for a tenant. The following error is returned:
Response: {
"error": "invalid_grant",
"error_description": "The mfa_token provided is invalid. Try getting a new token."
}
The mfa_token works with the canonical domain on an endpoint of the MFA API; however, the mfa_token does not work with the custom domain.
Symptoms
- mfa_token works with the canonical domain on an endpoint of the MFA API
- mfa_token does not work with the custom domain on an endpoint of the MFA API by failing with the following error: “The mfa_token provided is invalid.”
Steps to reproduce
- Obtain a mfa_token through ROPG or any method documented here: Authenticate Using the Resource Owner Password Flow with MFA
- Use the same obtained mfa_token with an endpoint of the MFA API such as the {your_domain}/mfa/authenticators and notice the behavior both with canonical and custom, which can unexpectedly fail with the custom domain.
Cause
Currently, custom domains are not fully supported for the MFA API functionalities. This includes the custom guardian apps as well. The Auth0 engineering team has multiple in-progress efforts to get custom domains fully supported.
Solution
The best approach until custom domains fully support MFA functionalities is to keep using the canonical domain, which has consistent results. A custom domain can be used for all /oauth/token requests, but the MFA API audience will still need to be https://YOUR_AUTH0.COM_DOMAIN/mfa/ .