Generating OIDC Token using PKCE with MFA

We have created a REST API to generate OIDC Token for an Okta Application using PKCE when the requestor sends the username/password using the Basic Auth headers. The REST API uses the Okta APIs for PKCE to generate the token and it works fine.

But now there is new requirement to add MFA to this custom REST API. How can this be implemented?

When the MFA is switched on, the /api/v1/authn generates the “sessionToken” but the call to /oauth2/{{authServer}}/v1/authorize to get the “authorizationCode” fails

If you are using the /authn pipeline and you get a sessionToken back from that request, that would imply to me that you were able to complete primary auth against the Global Session Policy. However, if you are seeing a failed reques to /authorize, I kind of assume you’re including the parameter prompt=none which will prevent Okta from prompting the user to fulfill any MFA requirements that are set at the application level. This is expected as the App level MFA will not be evaluated until the user attempts to access the specific application.

You will either want to

  • Remove the App-level MFA requirement and instead require MFA in the Org level MFA policy
  • Make a browser redirect to /authorize so that the user can be prompted for MFA on the Okta domain (there is no other way to receive this prompt when using /authn!)
  • if you are using an Okta Identity Engine org, you could look to use our IDX libraries which do support app-level MFA (called Authentication Policies in OIE)
1 Like

Hi @andrea,

Thanks for responding. The request to /authorize doesn’t have prompt=none.

Is it anyway possible to supply a MFA using back channel instead of prompting user through a browser for it, since it is an REST API?

May be the right question is if there any best practice for using OAuth with MFA for REST APIs?

Thanks
Vijay

If you’re in an OIE org, you could look to use the Direct Authentication grant type, which does allow you to prompt for certain factor types: Configure Direct Authentication grant types | Okta Developer

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.