Solution (MFA - App Level, Unsupported with showSignInToGetTokens
My Org recently went through a troubling scenario where we had multiple applications using the Okta Classic Engine. Mobile Apps, and two different Web Apps. We were in the process of transitioning our legacy Web App to a new SPA utilizing the Okta Signin Widget, and Auth JS.
In our lower environments we were testing MFA (Org) and everything seemed to be working fine, however we never thought to test turning off MFA (Org) policy and only having the App level MFA turned on.
On deployment night we realized our MFA (Org) in our PROD env wasn’t on, only the App level MFA. Users were NOT able to MFA into the application and access to the App was denied.
Come to find out that MFA App level DOES NOT work with the Okta Signin Widget by default when using the showSignInToGetTokens
method. However, it works perfectly fine with the MFA (Org) policies.
For certain reasons we were not allowed to use the MFA (Org) policy in Production, so we had to do a workaround.
showSignInAndRedirect
was the method we switched to, and then we created a new /redirect
url on our app for the MFA to redirect to. From there, we checked for isLoginRedirect
and then if that condition was true
we called the handleLoginRedirect
which then parsed the state
and code
from the query params and requested the tokens.