Enroll Duo MFA after logging in to Okta via OIDC

My users are logging in to Okta using OIDC, to get an id_token.
After the user has logged in I want to trigger Duo MFA enrollment, which requires a stateToken.

IIUC the only way I can get the stateToken is to collect the user credentials and call POST /api/v1/authn with the credentials.
This leads to awkward UX since the user is already logged in, so there shouldn’t be another request to collect credentials.

What would be the best way to trigger Duo MFA enrollment after logging in using OIDC?

Hi @odpeer

If you are referring to enrolling the user after getting the JWT, you can try https://developer.okta.com/docs/reference/api/factors/#enroll-factor.

@dragos I probably didn’t give enough details.

When the user gets to my app I use OIDC to log the user in and get an id_token using the ${oktaBaseUrl}/oauth2/default/v1/authorize?client_id=${OKTA_CLIENT_ID}&sessionToken=${sessionToken}&nonce=${nonce}&response_type=id_token&scope=openid%20profile&state=${state}&redirect_uri=${uri} endpoint
This lets the user log in Okta screens and I get the id_token in the Location header in the response to that request.
I use the id_token to authorize subsequent events using Okta OIDC.

At this point all I have is an id_token, and a logged in user.
Now, I want to trigger Duo enrollment in my app.
I want to use the Enroll Duo Factor API - https://developer.okta.com/docs/reference/api/authn/#enroll-duo-factor, however, this API requires a stateToken. To get a state token I need to get the user credentials and call /api/v1/authn primary authenication.

I looked in the link you sent. It does not have an example of enrolling Duo as a factor.
When I tried to send a request POST {{url}}/api/v1/users/{{userId}}/factors with

  "factorType": "web",
  "provider": "DUO"

as described in https://developer.okta.com/docs/reference/api/factors/#supported-factors-for-providers I got the following error response

    "errorCode": "E0000060",
    "errorSummary": "Unsupported operation.",
    "errorLink": "E0000060",
    "errorId": "oae-cpHr3dWT3qPkiF7LqmHuQ",
    "errorCauses": []

Am I missing something in the link you sent?

Hi @odpeer

Can you please open a support case with us through an email to support@okta.com in order for one of Support Engineers to assist you with the integration?