Authorization via CLI with MFA doesn't work

Questions OAuth/OIDC
1

Hi, my team wants to be able to authenticate to Okta via CLI (using curl) to get a Bearer token we could later use to communicate with our applications integrated with Okta from our local computer.

We managed to use https://{domain}.okta.com/api/v1/authn endpoint with username and password, which responded with status=MFA_REQUIRED.

Then we executed https://{domain}.okta.com/api/v1/authn/factors/{factorId}/verify with the state token from the previous request to send a push notification. After the notification is accepted on a phone, we executed the endpoint one more time and we received: "status": "SUCCESS", in the response along with a session token.

Now when we try to use that session token with https://{domain}.okta.com/oauth2/default/v1/authorize/? endpoint with response_type=code, response_mode=form_post, our client_Id, state, scope, redirect_uri, code_challenge, and code_challenge_method → we always get HTML login page back as if sessionToken was incorrect or missing.

We tried a similar authentication procedure with our Okta account for tests where we don’t use MFA and we manage to get the authorization code without any problems. (so we could use authorization code with token endpoint and get Bearer token)

Is there anything additional we should execute with MFA or is it not possible to get an authorization code with MFA?

2

In the screenshot from this doc you do get an html page in the response but it does contain a “code” which can be exchanged for tokens.

https://support.okta.com/help/s/article/How-to-get-tokens-for-an-OIDC-application-without-a-browser-using-curlPostman

3

The link you provided does not show the MFA use case. I was able to do it without MFA, as I wrote above:

We tried a similar authentication procedure with our Okta account for tests where we don’t use MFA and we manage to get the authorization code without any problems. (so we could use authorization code with token endpoint and get Bearer token)

The article only mentions this:

  1. Note that users that are challenged for MFA will return a different status. If you must use a user that is prompted for MFA, read our API documentation for how to complete this transaction so you get a “SUCCESS” status back.

but I managed to achieve that as I wrote above:

Then we executed https://{domain}.okta.com/api/v1/authn/factors/{factorId}/verify with the state token from the previous request to send a push notification. After the notification is accepted on a phone, we executed the endpoint one more time and we received: "status": "SUCCESS", in the response along with a session token.

The next step though doesn’t work with MFA.