curl --request POST \
--url https://[login-domain].auth0.com/oauth/token \
--header 'Content-Type: application/json' \
--data '{"grant_type":"refresh_token","client_id": "f3tnaegL..", "client_secret": "R0F6..", "refresh_token":"T943..",
"scope":"openid profile transfer:funds"
}'
{
"error": "mfa_required",
"error_description": "Multifactor authentication required",
"mfa_token": "Fe26.2*272d.."
}
| function (user, context, callback) { | |
| // Only applied for the refresh token flow along with the special scope (e.g.: transfer:funds) that | |
| // will trigger the MFA step up. | |
| if (context.protocol === "oauth2-refresh-token" && | |
| context.request.body && | |
| context.request.body.scope && | |
| context.request.body.scope.indexOf('transfer:funds') > -1) { | |
| // Insert a custom claim in id token which would be checked along with amr claim | |
| const namespace = 'https://myapp.example.com/'; | |
| context.idToken[namespace + 'stepup'] = true; | |
| // Force MFA | |
| context.multifactor = { | |
| provider: 'any', | |
| allowRememberBrowser: false | |
| }; | |
| } | |
| callback(null, user, context); | |
| } |
In regular MFA step up with web-based flows, Auth0 inserts a claim named amr in the ID token. This claim needs to be checked on the app side to ensure that the user performed second-factor authentication successfully. For the Refresh Token flow unfortunately the issued ID tokens don't have this claim so we insert a custom claim to the ID token in the above rule to implement a similar mechanism.
This custom claim should be inserted only for the Refresh Token flow and when the special scope is requested. The app should then check this custom claim along with the
amrclaim to allow the critical operation.