I am developing an iPhone application to demonstrate the MFA using sms factor with MFA APIs for POC. I am using the authorisation flow for getting my access token (where I get a authorisation code and redeem it for an access token)earlier to MFA implementation. From the documentation, I found out that I need an MFA_token to work with MFA APIs. I added few changes with my existing authorisation process.
I am getting an MFA Token by doing the following steps:
- Added scope enroll read:authenticators to authorisation endpoint( i.e.
“https://<my_domain>/authorize”) - Added an audience:
https://<my_domain>/mfato the authorisation endpoint - Then I make a post request to token endpoint with authorization code to get the
mfa_token. - The only changes I can observe is now the access token(which I presume to be the
mfa_token) is in jwt format with expire time 600 sec. By using this access token(=mfa_token) - I built a custom pages for my user for enrollment and challenging the user via sms.
- I am able to enroll user, confirm enrollment using this access token.
- But when I challenge an user using this access token I get the following error after
https://YOUR_DOMAIN/mfa/challengecall.
{
“error”: “invalid_grant”,
“error_description”: “Malformed mfa_token”
}
Can anyone please say me where I am going wrong?
Is the access token same as the MFA_Token in my case?
Thanks in Advance!
I think the
access_tokenonly serves asmfa_tokenduring OOB/device registration. Thenafter, the user will get anmfa_tokenduring auth, which is passed for MFA/OTP challenges