acta0 (acta0) asked a question.
We have an OIDC web app called "PROVIDER" that takes care of requesting and managing Okta tokens (and other IDPs) for an application authentication.
I developed the authentication page with Okta Auth JS to replace the Okta Widget.
It takes care of initiating authentication and requesting that a code be sent to the "PROVIDER" so that it can retrieve the tokens (Authorization code flow).
The policy specific to the "PROVIDER" application requires MFA.
Naturally, this is not triggered directly after the SignInWithCredential, as the transaction is in "SUCCESS" status.
Then the redirection to the application :
either returns an error if I specified prompt: "none", or
or returns to the authentication page if I specified prompt: "login".
I can't find in the documentation the possibility of finally arriving at the "MFA_REQUIRED" status as when we have a general policy with MFA.
Some part of the code :
// Authentification
function doAuth() {
// do get transformeUserName
context.login = transformUsername(document.getElementById("okta-signin-username").value);
authClient.signInWithCredentials({
username: context.login,
password: document.getElementById("okta-signin-password").value
})
.then(manageTransaction)
.catch(manageErrors);
}
// Gestion du login en fonction du statut de la transaction
function manageTransaction(transaction) {
switch (transaction.status) {
case 'SUCCESS':
let reqCtx = OktaUtil.getRequestContext();
updateAppState({ transaction });
// Dans le cas d'un contexte de déblocage de compte
if(transaction.recoveryType == "UNLOCK") {
showAccountUnlocked();
break;
}
//Dans le cas d'un PASSWORD_RECOVERY
if(context.mode == 'password-reset') {
showPasswordRecovery();
break;
}
// Redirection vers le provider : relancer un signIn avec redirection contenant le context.
var newContext = {
sessionToken:transaction.sessionToken,
prompt:'none',
};
if(config.nonce)
newContext.nonce = config.nonce;
Object.assign(newContext, reqCtx.authentication.request);
authClient.signInWithRedirect(newContext);
break;
case 'MFA_REQUIRED':
// SMS
updateAppState({ transaction });
var factor = transaction.factors.find(function (factor) {
return factor.provider === 'OKTA' && factor.factorType === context.emailLogin ? 'email' : 'sms'; // TODO: Email, TOTP, etc.
});
factor.verify()
.then(manageTransaction)
.catch(manageErrors);
break;
case 'MFA_CHALLENGE':
updateAppState({ transaction });
showMfa();
break;
case 'MFA_ENROLL':
let msg = 'Le cas MFA_ENROLL ne doit pas intervenir dans le cas CANAL PLUS. Les utilisateurs sont déjà enrollé à l`inscription';
alert(msg);
showError(msg, transaction);
break;
case 'ERROR':
manageErrors(transaction);
break;
default:
throw 'We cannot handle the ' + transaction.status + ' status';
}
}
Hi @acta0 (acta0) , Thank you for reaching out to the Okta Community!
This type of question would be more appropriate for our dedicated Developer Forum devforum.okta.com .
While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-developer work).
In the meantime, please check out the following posts in case they contain some information to help you move in the right direct with your integration:
https://devforum.okta.com/t/using-application-sign-on-policy-with-mfa-via-api/10235
https://github.com/okta/okta-auth-js/issues/376
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
Community members help others by clicking Like or Select as Best on responses. Try it today.