I have MFA factor enrollment set org-wide to enroll users in MFA only when they are first challenged. Then I have an OIDC app using the Authorization Code flow which has a sign on policy that prompts for MFA once per session. So upon logging in to the OIDC app (making the call to /authorize), an MFA challenge is required.
Now my OIDC application using a separate, self-hosted okta signin widget for authentication. This means the OIDC app will redirect the user to a separate website that contains the signin widget. The signin widget then redirects back to the OIDC app once a session is established.
The issue I’m having is this:
- Starting on the OIDC app, I click Login. This makes the /authorize call, which returns an error to my callback endpoint. The error is ‘login_required’, ‘The client specified not to prompt, but the user isn’t signed in.’. This is expected. I then redirect the user to the Okta signin widget website.
- On the signin widget, they enter email and password, and are redirected back to the OIDC app.
- The OIDC app tries to make the /authorize call again, and another error is returned to my callback endpoint. This error is ‘login_required’, ‘The client specified not to prompt, but the client app requires re-authentication or MFA.’.
- So now I need to somehow redirect back to the signin widget website but manually initiate MFA enrollment. Is this possible?