If you are using the /authn pipeline and you get a sessionToken back from that request, that would imply to me that you were able to complete primary auth against the Global Session Policy. However, if you are seeing a failed request to /authorize, I kind of assume you’re including the parameter prompt=none which will prevent Okta from prompting the user to fulfill any MFA requirements that are set at the application level. This is expected as the App level MFA will not be evaluated until the user attempts to access the specific application.
You will either want to
- Remove the App-level MFA requirement and instead require MFA in the Org level MFA policy
- Make a browser redirect to /authorize so that the user can be prompted for MFA on the Okta domain (there is no other way to receive this prompt when using /authn!)
- if you are using an Okta Identity Engine org, you could look to use our IDX libraries which do support app-level MFA (called Authentication Policies in OIE)