curl --request POST \
--url https://[login-domain].auth0.com/oauth/token \
--header 'Content-Type: application/json' \
--data '{"grant_type":"refresh_token","client_id": "f3tnaegL..", "client_secret": "R0F6..", "refresh_token":"T943..",
"scope":"openid profile transfer:funds"
}'
{
"error": "mfa_required",
"error_description": "Multifactor authentication required",
"mfa_token": "Fe26.2*272d.."
}
In regular MFA step up with web-based flows, Auth0 inserts a claim named amr in the ID token. This claim needs to be checked on the app side to ensure that the user performed second-factor authentication successfully. For the Refresh Token flow unfortunately the issued ID tokens don't have this claim so we insert a custom claim to the ID token in the above rule to implement a similar mechanism.
This custom claim should be inserted only for the Refresh Token flow and when the special scope is requested. The app should then check this custom claim along with the
amr
claim to allow the critical operation.