I need to implement user login with MFA through Okta’s API. This is a legacy multi-tenant application, so certain choices have been made that I currently can’t change all at once.
What I want to do is:
- configure applications in Okta, some with MFA, some without
- call the authn API with user name and password and specify the application
- have it return a logged in user if MFA isn’t required and MFA_REQUIRED if MFA is required
- if it is required, I can then call Okta’s verify endpoint with the user’s input
Currently, it seems I can’t add the application to the primary authentication endpoints. If I add audience I’ll get an error. So I could probably get this to work but then I couldn’t set MFA on a per-application level.
I tried using OIDC’s ROPC grant with the /token endpoint so that I can set MFA per application, but if MFA is enabled, I’ll get back an error that ROPC and MFA can’t be combined.
So I’m stuck. Is my scenario even possible?
To recap: I want to give Okta a username, password and application. Then I want to know if the user is logged in or if they should provide a second factor. If so, I want to call the /verify endpoint and then know if the user is logged in. Is that possible?