Get list of enabled MFA methods, with methodId
-
When a user logs in via the
api/login
endpoint, it returns a list of MFA methods enabled for that user. This includes the twoFactorId and the methodId of those methods, which is needed in the body of the/api/two-factor/send/{{twoFactorId}}
request (to send the code via SMS/Email).However, when a user logs in via
/oauth2/token
, the response includes only the twoFactorId, so the client has insufficient data to send the 2FA code to that method.How can I get the methodId of each MFA method via the OAuth flow?
As it stands, it appears the/api/login
flow is the only possible way to get the list of enabled MFA methods. -
In general, the assumption is that if you are using the OAuth endpoints, you are using the hosted login pages, so FusionAuth is handling the MFA (which should take place well before you call the
token
endpoint, because it is part of authentication before the authorization code is generated).Which OAuth grant are you using?
-
@dan We're using
grant_type: 'password'
andscope: 'offline_access'
. This is for a mobile app, where we're building our own flows. -
I'm also noticing thatapi/login
access token doesn't include several of the properties that the oauth endpoint does. These are missing from the response:"scope": "offline_access", "capitalUserId": "aff335f2....", "businessId": "98bd9f04....", "userId": "37a792f0-b630....", "userType": "EMPLOYEE"
I'd rather use
/oauth/token
, but I can't because it doesn't include themethodId
that I need for 2FA flows (the original problem).As far as I can tell, it also doesn't include the equivalent of
/api/two-factor/login
either, which has the same problem (the missing fields above).EDIT: I think these missing properties are because the user isn't registered to an application, so disregard that part.
-
Hmmm. Can you walk me through the flow you want to see? Including when you want to send the MFA?
- User opens mobile app.
- User clicks login button
- User enters username and password into mobile app
...
That might help me understand what you are trying to do.
-
Here's what I'm picturing:
- User opens mobile app.
- User clicks login button
- User enters username and password into mobile app
- App hits the
/oauth2/token
endpoint with user/pass - FA responds with
twoFactorId
and array of all enabled two factor methods, including theid
of those methods - App POSTs to
/api/two-factor/send/{{twoFactorId}}
, including the method ID from the above response in the body - User sees OTP/code input screen & enters what they have received via email/SMS
- App sends the code to FusionAuth. It seems there isn't a way to do that via oauth endpoints (
/api/two-factor/login
seems like the only way to go). - FusionAuth sends access/refresh tokens w/ user data back to app
- App user is now logged in
We're now switching this over to
/api/login
instead, and we'll add every user to the application upon registration (which we hadn't been doing). I think that solves our issues. The question remains whether MFA can be used with OAuth login (steps 5 and 8 seem to indicate that it cannot). -
@stephen-saucier-0 you are correct that the password grant isn't compatible with MFA. We should note that as a limitation (or possible enhancement).
As you note, you have to drop out of standard OAuth to use MFA anyway (to send the code; there's no part of the OAuth grant that will do that for you). So I'm not sure what supporting MFA with the password grant gets you. What am I missing?
If you are worried about portability and being locked into the FusionAuth APIs, you can ameliorate that with an abstraction layer over the FusionAuth API.
-
More discussion here: https://github.com/FusionAuth/fusionauth-site/issues/1210
-
@stephen-saucier-0, This was resolved in 1.36.