FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    MFA with the password grant

    Scheduled Pinned Locked Moved
    Q&A
    password grant mfa
    2
    3
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • danD
      dan
      last edited by

      Can I use MFA with the password grant (resource owner password credentials grant)?

      --
      FusionAuth - Auth for devs, built by devs.
      https://fusionauth.io

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by dan

        Yes. While we recommend the Authorization Code grant is almost all situations, there are times when you need the password grant, and FusionAuth's MFA works with it just fine.

        When you begin the password grant, if the user has MFA set up, you won't receive the JWT on successful authentication. Instead you'll receive JSON like this:

        {"error":"two_factor_required","error_description":"The user has enabled two factor authentication.","two_factor_id":"gDNV2_fFtl7vhMV5_5bFJUL3ZyZ5Ine69n0xWDXKEGw"}

        You'll then need to use the provided two_factor_id to complete the MFA as documented here: https://fusionauth.io/docs/v1/tech/apis/login/#complete-multi-factor-authentication

        That might look something like this:

        curl https://local.fusionauth.io/api/two-factor/login -H 'content-type: application/json' -d '{"twoFactorId": "gDNV2_fFtl7vhMV5_5bFJUL3ZyZ5Ine69n0xWDXKEGw", "code": "487156"}'

        At that time you'll get a JWT and normal successful login response.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • A
          admin b
          last edited by

          Thanks for addressing this use case. Your proposal, however, runs counter to any standardization effort: Long live OAuth! 🙂

          A better approach would be to switch from a password grant to the use of authorization codes (instead of passwords) to obtain the access token. This is fully within the OAuth framework and does not introduce fusionauth-specific hacks into the solution.

          We have created as simple html page that redirects to the fusionauth authorize endpoint with grant_type=authorization_code. The browser handles MFA as usual. Upon redirecting to this page, the page can harvest the authorization code for the user to copy. From there proceed with into authorization code in place of a password.

          PS: Long live OAuth!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post