We have created a REST API to generate OIDC Token for an Okta Application using PKCE when the requestor sends the username/password using the Basic Auth headers. The REST API uses the Okta APIs for PKCE to generate the token and it works fine.
But now there is new requirement to add MFA to this custom REST API. How can this be implemented?
When the MFA is switched on, the /api/v1/authn generates the “sessionToken” but the call to /oauth2/{{authServer}}/v1/authorize to get the “authorizationCode” fails
If you are using the /authn pipeline and you get a sessionToken back from that request, that would imply to me that you were able to complete primary auth against the Global Session Policy. However, if you are seeing a failed request to /authorize, I kind of assume you’re including the parameter prompt=none which will prevent Okta from prompting the user to fulfill any MFA requirements that are set at the application level. This is expected as the App level MFA will not be evaluated until the user attempts to access the specific application.
You will either want to
Remove the App-level MFA requirement and instead require MFA in the Org level MFA policy
Make a browser redirect to /authorize so that the user can be prompted for MFA on the Okta domain (there is no other way to receive this prompt when using /authn!)
if you are using an Okta Identity Engine org, you could look to use our IDX libraries which do support app-level MFA (called Authentication Policies in OIE)