What is the correct way to require MFA for ONLY auth0 connections?

brady.dean · January 11, 2023, 12:30am

What I have tried so far is to disable MFA requirements globally in the authentication settings, then added this action to login.

exports.onExecutePostLogin = async (event, api) => {
  if (event.connection.strategy === "auth0") {
    api.multifactor.enable("any", {"allowRememberBrowser": true});
  }
};

This works to require MFA during sign-in, but it breaks the refresh token flow. I came across these

https://auth0.com/docs/secure/tokens/refresh-tokens/use-refresh-tokens#bypass-mfa

and tried to translate from hook to action

exports.onExecutePostLogin = async (event, api) => {
  if (event.transaction.protocol === "oauth2-refresh-token") {
    return;
  }
  else if (event.connection.strategy === "auth0") {
    api.multifactor.enable("any", {"allowRememberBrowser": true});
  }
};

But this does not work, in my auth0 logs I still see errors about silent auth failing because MFA is required. Users cannot access the site because auth0-react redirects back to login after failing silent auth.

tyf · January 11, 2023, 1:28am

Hey @brady.dean welcome to the community!

It sounds like your application is not fully configured to use refresh tokens - If it is, you should see successful refresh token exchange events (sertft) in your logging. I’d need to test with a rule/action in place, but I’m curious if you run into this with successful successful refresh token exchanges occurring.

If you’d like to share the SDK you’re working with and any related config that could be helpful - Keep us posted!

brady.dean · January 11, 2023, 1:55am

Refresh tokens seem to work for SSO, I see a lot of successful refresh token exchange events for these connections (99% of our dev testing uses SSO connections). I’m assuming the application is set up correctly (I’m just a backend dev, not too familiar with the react sdk).

I found Configure Silent Authentication and adapted it into an action and this seems to have fixed things, at least in our development env. Will continue testing this tomorrow.

exports.onExecutePostLogin = async (event, api) => {
  if (event.authentication && Array.isArray(event.authentication.methods)) {
    const authMethods = event.authentication.methods;
    const completedMfa = !!authMethods.find((method) => method.name === "mfa");
    if (!completedMfa && event.connection.strategy === "auth0") {
      api.multifactor.enable("any", {"allowRememberBrowser": true});
    }
  }
};

system · March 9, 2023, 12:41am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.