Use API to log in with MFA configured per application

I need to implement user login with MFA through Okta’s API. This is a legacy multi-tenant application, so certain choices have been made that I currently can’t change all at once.

What I want to do is:

  • configure applications in Okta, some with MFA, some without
  • call the authn API with user name and password and specify the application
  • have it return a logged in user if MFA isn’t required and MFA_REQUIRED if MFA is required
  • if it is required, I can then call Okta’s verify endpoint with the user’s input

Currently, it seems I can’t add the application to the primary authentication endpoints. If I add audience I’ll get an error. So I could probably get this to work but then I couldn’t set MFA on a per-application level.

I tried using OIDC’s ROPC grant with the /token endpoint so that I can set MFA per application, but if MFA is enabled, I’ll get back an error that ROPC and MFA can’t be combined.

So I’m stuck. Is my scenario even possible?

To recap: I want to give Okta a username, password and application. Then I want to know if the user is logged in or if they should provide a second factor. If so, I want to call the /verify endpoint and then know if the user is logged in. Is that possible?

@peter.morlion You can configure MFA on app level.
App-level MFA | Okta.
and check policies.
Policies | Okta Developer

Sure, but I can’t provide the app to Okta if I use the primary authentication (ie just passing in username and password to the authn API).