Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can not login with app-level MFA using token.getWithoutPrompt #1454

Open
lewisdoesstuff opened this issue Sep 5, 2023 · 9 comments
Open
Labels

Comments

@lewisdoesstuff
Copy link

Describe the bug

I'm running into issues trying to add MFA support to my custom sign-in form.

This works fine without MFA, using PKCE and signInWithCredentials, then calling token.getWithoutPrompt to fetch the tokens.

However, once MFA is enabled on the app, this seems to behave differently to what the Authn API says.

Calling signInWithCredentials returns a transaction with a status of SUCCESS, instead of the expected MFA_REQUIRED.
Then, as we're not able to detect that MFA is required, the regular (successful) login handler is used, and token.getWithoutPrompt throws an error:
The client specified not to prompt, but the client app requires re-authentication or MFA.

This works fine if I call signInWithRedirect, as the MFA prompt is handled by the Okta-hosted page, but I'd like to handle this in-app, without redirecting to another page to complete the MFA challenge.

Reproduction Steps?

Can't share a repo, unfortunately, but to reproduce:

  • Create an OktaAuth instance with pkce: true
  • Call authClient.signInWithCredentials(username, password) to get the transaction
    • With MFA disabled on the app, this returns a transaction with status: 'SUCCESS', as expected.
    • When MFA is enabled, we receive the same 'SUCCESS' response, instead of 'MFA_REQUIRED'
  • While the handler for MFA should be called, this returning a 'SUCCESS' status causes the login to be treated as successful
  • Calling token.getWithoutPrompt returns The client specified not to prompt, but the client app requires re-authentication or MFA.

SDK Versions

System:
OS: Windows 10
CPU: x64 11th Gen Intel(R) Core(TM) i9-11900H @ 2.50GHz
Memory: 13.33 GB / 31.67 GB
Binaries:
Node: 16.18.0 - ~\Applications\node-v16.18.0-win-x64\node.EXE
npm: 8.19.2 - ~\Applications\node-v16.18.0-win-x64\npm.CMD
Browsers:
Edge: 44.19041.1266.0
Internet Explorer: 11.0.19041.1566

It didn't return the okta-auth-js package version, but it's "@okta/okta-auth-js": "^7.3.0"

Additional Information?

No response

@lewisdoesstuff
Copy link
Author

Not a solution, but I worked around this by catching the error returned by token.getWithoutPrompt, checking if it includes 'MFA', then calling token.getWithPrompt with { prompt: 'consent' }.

This doesn't display a prompt for anyone who doesn't require MFA, but shows it when factor validation is required.

@jaredperreault-okta
Copy link
Contributor

Thanks for the report, we will look into this

Internal Ref: OKTA-644786

@pdubb29
Copy link

pdubb29 commented Nov 15, 2024

Is there any update on this issue? I can't view the ticket: https://oktainc.atlassian.net/browse/OKTA-644786

@JermZone
Copy link

I am also having the same issue:
Calling signInWithCredentials returns a transaction with a status of SUCCESS, instead of the expected MFA_REQUIRED.
Then, as we're not able to detect that MFA is required, the regular (successful) login handler is used, and token.getWithoutPrompt throws an error:
The client specified not to prompt, but the client app requires re-authentication or MFA.

@pdubb29
Copy link

pdubb29 commented Nov 18, 2024

@lewisdoesstuff do you still have this solution in place?
What happens when you do the following? Do you have your own UI built in where you redirect the user to put MFA in?

Not a solution, but I worked around this by catching the error returned by token.getWithoutPrompt, checking if it includes 'MFA', then calling token.getWithPrompt with { prompt: 'consent' }.

This doesn't display a prompt for anyone who doesn't require MFA, but shows it when factor validation is required.

@lewisdoesstuff
Copy link
Author

Hey!

Yeah, I'm still using this and it works well.

I have my own sign-in form UI, which attempts to log in with the entered credentials.

When MFA is required (getWithoutPrompt returns an error containing the string 'MFA'), we call getWithPrompt. By passing { prompt: 'consent' } to it, an Okta 2FA prompt is displayed in a new window.

This only happens if an MFA confirmation is required. It's possible (i think) for it to error when MFA is required, but a prompt is not? In these cases, the user doesn't see anything (thanks to { prompt: 'consent' })

After this, the regular login flow continues.

My implantations are all Vue SPAs, so this might differ for you

@jaredperreault-okta
Copy link
Contributor

@JermZone @pdubb29 are you experiencing this issue with an existing integration after MFA was enabled? Or is this a brand new integration?

@pdubb29
Copy link

pdubb29 commented Nov 18, 2024

I am looking at implementing the similar solution that @lewisdoesstuff did.
The same calls that he mentioned are ones that I'm using.
Mainly signInWithCredentials & getWithoutPrompt

I'm wanting to turn on MFA for a user group. I expect the same results from those calls that Lew has mentioned.

Wanted to see if there's been any progress on changing the status from SUCCESS to MFA_REQUIRED or if I need to move forward with an implementation that Lew mentioned.

Hey!

Yeah, I'm still using this and it works well.

I have my own sign-in form UI, which attempts to log in with the entered credentials.

When MFA is required (getWithoutPrompt returns an error containing the string 'MFA'), we call getWithPrompt. By passing { prompt: 'consent' } to it, an Okta 2FA prompt is displayed in a new window.

This only happens if an MFA confirmation is required. It's possible (i think) for it to error when MFA is required, but a prompt is not? In these cases, the user doesn't see anything (thanks to { prompt: 'consent' })

After this, the regular login flow continues.

My implantations are all Vue SPAs, so this might differ for you

Ideally, we'd like not to display a different UI screen to the user and host the MFA selection and code entering on our UI. So if we get an error from signinWithCredentials() that says the user needs to enter an MFA code, my thinking is could the okta sdk allow getwithoutprompt to take a MFA factorID along with their MFA code?

@jaredperreault-okta
Copy link
Contributor

@pdubb29 This forum post should help explain the situation. Essentially what you're trying to achieve is not possible with the /authn pipeline. It seems like you'll need to use @lewisdoesstuff's workaround or go with one of the suggested solutions in the forum post

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants