Hello, I am implementing an authentication middleware driving authentication with Okta (login / pass + MFA).
I use the following APIs:
//To submit login and password:
https://{{oktaDomain}}/api/v1/authn
//To trigger MFA on the email factor:
https://{{oktaDomain}}/api/v1/users/{{userid}}/factors/{{emailFactorId}}
//to submit the otp
https://{{oktaDomain}}/api/v1/authn/factors/{{emailFactorId}}
The first API always returns MFA_REQUIRED.
Configuring a Global Session Policy in Okta does not help, because there is no cookie set with those APIs.
Is there a way to implement “Adaptative MFA” with APIs, relying only on Okta?
If your Global Session Policy (OIE ?) has password + factor ,then /authn will return MFA_REQUIRED. Depending on the allowed factors and what the user is registered for you would need to go through the verification process. If using email, after submitting the passcode in the last step you should get back a sessionToken in the response.
Do you see the sessionToken returned?
If so at this point Okta will not have added the set-cookie for the sid cookie to any of the above responses, to set the cookie you will have to use 1 of the 3 options in the link below.
Can my problem comes from the fact that my APIs are triggered from the web server, and not from an application in the browser?
Are the authentication APIs only supposed to be used from a client app running in the browser?