My Org recently went through a troubling scenario where we had multiple applications using the Okta Classic Engine. Mobile Apps, and two different Web Apps. We were in the process of transitioning our legacy Web App to a new SPA utilizing the Okta Signin Widget, and Auth JS.
In our lower environments we were testing MFA (Org) and everything seemed to be working fine, however we never thought to test turning off MFA (Org) policy and only having the App level MFA turned on.
On deployment night we realized our MFA (Org) in our PROD env wasn’t on, only the App level MFA. Users were NOT able to MFA into the application and access to the App was denied.
Come to find out that MFA App level DOES NOT work with the Okta Signin Widget by default when using the
showSignInToGetTokens method. However, it works perfectly fine with the MFA (Org) policies.
For certain reasons we were not allowed to use the MFA (Org) policy in Production, so we had to do a workaround.
showSignInAndRedirect was the method we switched to, and then we created a new
/redirect url on our app for the MFA to redirect to. From there, we checked for
isLoginRedirect and then if that condition was
true we called the
handleLoginRedirect which then parsed the
code from the query params and requested the tokens.