Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can not login with app-level MFA using token.getWithoutPrompt #1454

Open
lewisdoesstuff opened this issue Sep 5, 2023 · 2 comments
Open

Can not login with app-level MFA using token.getWithoutPrompt #1454

lewisdoesstuff opened this issue Sep 5, 2023 · 2 comments
Labels
bug

Comments

@lewisdoesstuff
Copy link

Describe the bug

I'm running into issues trying to add MFA support to my custom sign-in form.

This works fine without MFA, using PKCE and signInWithCredentials, then calling token.getWithoutPrompt to fetch the tokens.

However, once MFA is enabled on the app, this seems to behave differently to what the Authn API says.

Calling signInWithCredentials returns a transaction with a status of SUCCESS, instead of the expected MFA_REQUIRED.
Then, as we're not able to detect that MFA is required, the regular (successful) login handler is used, and token.getWithoutPrompt throws an error:
The client specified not to prompt, but the client app requires re-authentication or MFA.

This works fine if I call signInWithRedirect, as the MFA prompt is handled by the Okta-hosted page, but I'd like to handle this in-app, without redirecting to another page to complete the MFA challenge.

Reproduction Steps?

Can't share a repo, unfortunately, but to reproduce:

  • Create an OktaAuth instance with pkce: true
  • Call authClient.signInWithCredentials(username, password) to get the transaction
    • With MFA disabled on the app, this returns a transaction with status: 'SUCCESS', as expected.
    • When MFA is enabled, we receive the same 'SUCCESS' response, instead of 'MFA_REQUIRED'
  • While the handler for MFA should be called, this returning a 'SUCCESS' status causes the login to be treated as successful
  • Calling token.getWithoutPrompt returns The client specified not to prompt, but the client app requires re-authentication or MFA.

SDK Versions

System:
OS: Windows 10
CPU: x64 11th Gen Intel(R) Core(TM) i9-11900H @ 2.50GHz
Memory: 13.33 GB / 31.67 GB
Binaries:
Node: 16.18.0 - ~\Applications\node-v16.18.0-win-x64\node.EXE
npm: 8.19.2 - ~\Applications\node-v16.18.0-win-x64\npm.CMD
Browsers:
Edge: 44.19041.1266.0
Internet Explorer: 11.0.19041.1566

It didn't return the okta-auth-js package version, but it's "@okta/okta-auth-js": "^7.3.0"

Additional Information?

No response
@lewisdoesstuff
Copy link
Author

Not a solution, but I worked around this by catching the error returned by token.getWithoutPrompt, checking if it includes 'MFA', then calling token.getWithPrompt with { prompt: 'consent' }.

This doesn't display a prompt for anyone who doesn't require MFA, but shows it when factor validation is required.

@jaredperreault-okta
Copy link
Contributor

Thanks for the report, we will look into this

Internal Ref: OKTA-644786

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lewisdoesstuff @jaredperreault-okta