MFA with the password grant
-
Can I use MFA with the password grant (resource owner password credentials grant)?
-
Yes. While we recommend the Authorization Code grant is almost all situations, there are times when you need the password grant, and FusionAuth's MFA works with it just fine.
When you begin the password grant, if the user has MFA set up, you won't receive the JWT on successful authentication. Instead you'll receive JSON like this:
{"error":"two_factor_required","error_description":"The user has enabled two factor authentication.","two_factor_id":"gDNV2_fFtl7vhMV5_5bFJUL3ZyZ5Ine69n0xWDXKEGw"}
You'll then need to use the provided
two_factor_id
to complete the MFA as documented here: https://fusionauth.io/docs/v1/tech/apis/login/#complete-multi-factor-authenticationThat might look something like this:
curl https://local.fusionauth.io/api/two-factor/login -H 'content-type: application/json' -d '{"twoFactorId": "gDNV2_fFtl7vhMV5_5bFJUL3ZyZ5Ine69n0xWDXKEGw", "code": "487156"}'
At that time you'll get a JWT and normal successful login response.