Using Application Sign-on Policy with MFA via API

I’m working on an existing application that requires a custom login screen with MFA and needs to pass user credentials to our backend Java server to authenticate with a different system. I am looking into using the okta-auth-java sdk to authenticate with Okta and perform the MFA. I’ve tried setting up an OIDC app in Okta with a Sign-on rule to require MFA, however, I can’t figure out how to authenticate against my application.

Code sample:

AuthenticationClient oktaAuthenticationClient = AuthenticationClients.builder()
        .setOrgUrl(oktaUrl)
        .build();
RequestContext requestContext = new RequestContext()
        .addHeader("User-Agent", httpServletRequest.getHeader("User-Agent"))
        .addHeader("X-Forwarded-For", getClientIpAddress(httpServletRequest));
oktaAuthenticationClient.authenticate(
        oktaAuthenticationClient.instantiate(AuthenticationRequest.class)
                .setUsername(userName)
                .setPassword(password)
                .setAudience(audience),
        requestContext,
        stateHandler
);

When I set the “audience” property as shown in the code sample, I get the error “Sign-in not allowed for app ‘{audience}’”, however if I don’t set the audience, login is immediately successful and does not require MFA since it doesn’t seem to have any knowledge that I’m trying to login to a specific app, so it uses our org-wide policy.

Is there a way to authenticate via the API using my application’s Sign-on Policy?

Hi @jzirilli,

According to this documentation, it seems like your application could be unsupported. :frowning:
https://developer.okta.com/docs/reference/api/authn/#response-example-for-unsupported-application

I’m not quite sure why an OIDC application would be unsupported though.
Upon reading further, only WS-Fed and SAML apps are currently supported
https://developer.okta.com/docs/reference/api/authn/#idp-initiated-step-up-authentication

Thanks for your reply @vijet. Yes, I think you’re right in that the OIDC applications are unsupported for this flow. After digging into it, it seems (correct me if I’m wrong) the flow for SAML/WS-Fed is to authenticate directly with an application, whereas for OIDC, you first authenticate with the organization to obtain a session token and then authorize with the application to get the OAUTH tokens. Since the MFA sign-on policy is set for my app and not my org, MFA isn’t triggered until trying to authorize with the application.

However, the mechanisms for getting OAUTH tokens all seem to involve browser redirects: https://developer.okta.com/docs/guides/session-cookie/overview/. When an application-level MFA rule is set, this redirect first brings you to Okta’s MFA page where you can trigger push notifications or handle any other supported second factors. The application I’m working on has a custom MFA page. I guess my real question is, is there a way to authorize from a backend service via an API call that will give me some kind of MFA_REQUIRED response with factorIds that will allow me to redirect to our custom MFA page and handle MFA and final authorization?

Hi we have the same issue from FrontEnd side, we are using auth js lib we are not able to figure out how to get MFA_REQUIRED from the authorize for app level ?

@vijet please let me know if you was able to resolve to issue thanks

I’d love to see this functionality as well. Its super easy to authenticate using the API if MFA is required at the org level. However, if an app requires MFA, it seems impossible to use the API.

The aws cli tools that support this do it by actually loading the user facing HTML and parsing the javascript for tokens.

It would be great if this was officially supported in the API so we don’t have to result to hacks like parsing a page for javascript tokens.