oauth2-access-token Refreshing a token using the refresh token exchange.
oauth2-refresh-token Refreshing a token using the refresh token exchange.
oauth2-token-exchange
I’m filtering the oauth2-refresh-token protocol to not trigger MFA in this action when refreshing the access token but I’m wondering if I should also use oauth2-access-token as well?
Can you clarify what is the difference between them?
oauth2-refresh-token: Refers to refreshing a token using the refresh token exchange.
oauth2-access-token: Corresponds to the legacy POST /oauth/accesstoken request for an access token.
oauth2-token-exchange: Refers to exchanging a code for an access token.
If you need to prevent MFA from being triggered for the oauth2-refresh-token transaction, you could do something like the following:
exports.onExecutePostLogin = async (event, api) => {
if (event.transaction.protocol !== “oauth2-refresh-token”){
api.multifactor.enable(‘any’)
}
//else do not trigger MFA
};
Finally, one thing to note is that you will need to set your Require Multi-factor Auth to Never for this to work properly. This is because Actions will override the MFA setting being turned off.