What's the difference between `oauth2-token-exchange`, `oauth2-access-token` and `oauth2-refresh-token`

Hello :wave:

I’m looking at the authentication protocol object from the post-login action and I’m wondering what is the difference between those 3 values:

  • oauth2-refresh-token
  • oauth2-access-token
  • oauth2-token-exchange

It is documented here Actions Triggers: post-login - Event Object but I’m not sure what is the real difference:

  • oauth2-access-token Refreshing a token using the refresh token exchange.
  • oauth2-refresh-token Refreshing a token using the refresh token exchange.
  • oauth2-token-exchange

I’m filtering the oauth2-refresh-token protocol to not trigger MFA in this action when refreshing the access token but I’m wondering if I should also use oauth2-access-token as well?

Can you clarify what is the difference between them?

Thanks :pray:

Hi @Will956,

Thanks for posting your question on Community!

  • oauth2-refresh-token: Refers to refreshing a token using the refresh token exchange.
  • oauth2-access-token: Corresponds to the legacy POST /oauth/accesstoken request for an access token.
  • oauth2-token-exchange: Refers to exchanging a code for an access token.

If you need to prevent MFA from being triggered for the oauth2-refresh-token transaction, you could do something like the following:

exports.onExecutePostLogin = async (event, api) => {
  if (event.transaction.protocol !== “oauth2-refresh-token”){
    api.multifactor.enable(‘any’)
  }
 //else do not trigger MFA
};

Finally, one thing to note is that you will need to set your Require Multi-factor Auth to Never for this to work properly. This is because Actions will override the MFA setting being turned off.

Please let me know how this goes for you.

Thanks,
Rueben

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.