RE: 2FA

@dan I have filed an issue here: https://github.com/FusionAuth/fusionauth-issues/issues/1627

My only option here has been to disable MFA for this user and have them enable it again on next login.

EDIT: Sorry, I didn't add a good topic name. Maybe "Invalid methodID for MFA-enabled user".

After I go through api/login with credentials of a user who has 2FA enabled, I get this response:

{"methods":[{"id":"4ZF7","lastUsed":true,"method":"sms","mobilePhone":"17062259155"}],"twoFactorId":"ETCK_CQPo5ARy7SvrWC7vd4rC0ilbNRSc52pdE0rDd0"}

I then immediately grab the method ID and twoFactorId from that and request that FA send a code to that two factor method, like so:

curl -v
-X POST 'https://fa.capital.dev.tranwall.net/api/two-factor/send/ETCK_CQPo5ARy7SvrWC7vd4rC0ilbNRSc52pdE0rDd0'
-H 'Cookie: access_token=eyJhb...; refresh_token=Zzanp...'
-H 'Accept: application/json, text/plain, */*'
-H 'Content-Type: application/json'
-d '{"methodId":"4ZF7"}'

Unfortunately, this responds with a 400:

{"fieldErrors":{"methodId":[{"code":"[invalid]methodId","message":"The [methodId] is not valid. No two-factor method with this Id was found enabled for the user."}]}}

Why would the methodId be invalid, if it is given to me by FA in the first place?

When I changed the user's password manually in FA (change on next login was still enabled), it then allowed the password to be changed properly via the API without any Trust Token.

Using the change-password endpoint with a changePasswordId included from a login request (the user is marked as having to change his password on next login), we're getting a TrustTokenRequired response instead of a 200 success:

{"generalErrors": [{"code": "[TrustTokenRequired]", "message": "This request requires a Trust Token. Use the Start Two-Factor API to obtain a Trust Token required to complete this request."}]}

Multi-factor is not enabled for this user, so this response doesn't seem to make sense.

Am I missing a setting somewhere or something else, or is this a bug?

@dan

Here's what I'm picturing:

1. User opens mobile app.
2. User clicks login button
3. User enters username and password into mobile app
4. App hits the /oauth2/token endpoint with user/pass
5. FA responds with twoFactorId and array of all enabled two factor methods, including the id of those methods
6. App POSTs to /api/two-factor/send/{{twoFactorId}}, including the method ID from the above response in the body
7. User sees OTP/code input screen & enters what they have received via email/SMS
8. App sends the code to FusionAuth. It seems there isn't a way to do that via oauth endpoints (/api/two-factor/login seems like the only way to go).
9. FusionAuth sends access/refresh tokens w/ user data back to app
10. App user is now logged in

---

We're now switching this over to /api/login instead, and we'll add every user to the application upon registration (which we hadn't been doing). I think that solves our issues. The question remains whether MFA can be used with OAuth login (steps 5 and 8 seem to indicate that it cannot).

I'm also noticing that api/login access token doesn't include several of the properties that the oauth endpoint does. These are missing from the response:

  "scope": "offline_access",
  "capitalUserId": "aff335f2....",
  "businessId": "98bd9f04....",
  "userId": "37a792f0-b630....",
  "userType": "EMPLOYEE"

I'd rather use /oauth/token, but I can't because it doesn't include the methodId that I need for 2FA flows (the original problem).

As far as I can tell, it also doesn't include the equivalent of /api/two-factor/login either, which has the same problem (the missing fields above).

EDIT: I think these missing properties are because the user isn't registered to an application, so disregard that part.

@dan We're using grant_type: 'password' and scope: 'offline_access'. This is for a mobile app, where we're building our own flows.

When a user logs in via the api/login endpoint, it returns a list of MFA methods enabled for that user. This includes the twoFactorId and the methodId of those methods, which is needed in the body of the /api/two-factor/send/{{twoFactorId}} request (to send the code via SMS/Email).

However, when a user logs in via /oauth2/token, the response includes only the twoFactorId, so the client has insufficient data to send the 2FA code to that method.

How can I get the methodId of each MFA method via the OAuth flow?
As it stands, it appears the /api/login flow is the only possible way to get the list of enabled MFA methods.