TylerC.86060 (Customer) asked a question.
Challenges and Password Confirmation based on challengeAuthenticatorsList
Reviewing API logs for policy.evaluate_sign_on events, I see the debug data includes a challengeAuthenticatorsList. The value may be something like: "challengeAuthenticatorsList": "[{Okta Verify : totp}, {Password : password}, {Okta Verify : push}]"
What I am looking to understand is if the challengeAuthenticatorsList includes authenticator methods that still are awaiting to be satisfied? Or will it include methods that have already been satisfied?
For example, if Alice provides a password, but has additional challenges she needs to complete, will the challengeAuthenticatorsList be updated to remove {Password : password}, when it has been satisfied in subsequent challenges?
Hello @TylerC.86060 (Customer) Thank you for posting on our Community page!
If Alice provides her password, and the challengeAuthenticatorsList is initially:
"challengeAuthenticatorsList": "[{Okta Verify : totp}, {Password : password}, {Okta Verify : push}]"
After Alice successfully provides her password, a subsequent policy.evaluate_sign_on event (if further challenges are required) would likely show a challengeAuthenticatorsList that no longer includes {Password : password}, for example:
"challengeAuthenticatorsList": "[{Okta Verify : totp}, {Okta Verify : push}]"
This indicates that the password challenge has been satisfied, and the authentication flow is now waiting for Alice to satisfy one of the Okta Verify challenges (either TOTP or Push).
In summary, the challengeAuthenticatorsList provides a real-time view of the authentication challenges that are currently pending or in progress during a sign-on attempt. It evolves as the user satisfies the required authentication factors.
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.