Are there any endpoints exposed for initiating an MFA challenge?
Suppose a custom SPA integrated with Okta APIs but rendered its own UI. Would we be able to initiate MFA challenges (Okta Verify, etc) within our own application code that would use Authenticators that are configured in Okta without requiring admin level scopes and roles?
If not, does Okta expose any URLs that would serve the sole purpose of presenting an MFA challenge to a user, along with a redirect_uri that would return them to the SPA? Similar to how End-user Enrollments works but without showing the enrollment form - just a challenge for the user and then a redirect if successful?
API Reference - Verify a Factor - yes, it’s possible to send an Okta Verify challenge, then poll a link for the response to the challenge - or to use other factors.
I also would recommend that you review https://developer.okta.com/docs/concepts/policies/ to leverage Okta’s various policies (factor enrollment policy, authentication policy, etc) to setup rules for allowing access to the SPA.
These guides might also serve as a helpful reference:
Unfortunately as a colleague of yours pointed out that You need admin permissions and the okta.users.manage scope to enroll using the Factors endpoint, its not something that can be invoked with an OAuth token issued to an end user I don’t think the above is a viable approach.
The Okta.manage.users scope is not one we want to permit users to claim.
Thank you again though for the above docs. They’ll have insights for sure.