Logging into an OIDC Application associated with a Custom Authenticator Application always challenges users for Multi-factor Authentication (MFA) regardless of their Keep Me Signed In (KMSI) selection.
Other applications behave as expected with regard to KMSI selections.
- Okta Identity Engine (OIE)
- Pre/Post Keep Me Signed In (KMSI)
- OpenID Connect (OIDC)
- Custom Authenticator Applications
Criteria to observe this behavior:
- logging into an OIDC application that has a Custom Push Authenticator Application associated with it
- scope
okta.myAccount.appAuthenticator.manageis requested by the application
The Okta Authentication Pipeline behaves differently when accessing an OIDC application associated with a Custom Push Authenticator Application and scope okta.myAccount.appAuthenticator.manage is requested. Okta will ignore any prior KMSI setting for this device and challenge the user.
okta.myAccount.appAuthenticator.manage is a highly privileged scope that will cause Okta to fully authenticate a user.
okta.myAccount.appAuthenticator.manage should only be requested by an application when a user intends to enroll/un-enroll from a Custom Push Authenticator application. Standard application access should instead request scope okta.myAccount.appAuthenticator.maintenance.read.
Related References
- Custom Push Authenticator Application
- Keep Me Signed In (Remember Me)
- Kotlin and Swift Custom Push Authenticator SDKs
