Here's what I'm picturing:
- User opens mobile app.
- User clicks login button
- User enters username and password into mobile app
- App hits the
/oauth2/token
endpoint with user/pass - FA responds with
twoFactorId
and array of all enabled two factor methods, including theid
of those methods - App POSTs to
/api/two-factor/send/{{twoFactorId}}
, including the method ID from the above response in the body - User sees OTP/code input screen & enters what they have received via email/SMS
- App sends the code to FusionAuth. It seems there isn't a way to do that via oauth endpoints (
/api/two-factor/login
seems like the only way to go). - FusionAuth sends access/refresh tokens w/ user data back to app
- App user is now logged in
We're now switching this over to /api/login
instead, and we'll add every user to the application upon registration (which we hadn't been doing). I think that solves our issues. The question remains whether MFA can be used with OAuth login (steps 5 and 8 seem to indicate that it cannot).