<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5KZ000019wDnT0AUOkta Classic EngineAuthenticationAnswered2025-09-02T15:27:41.000Z2025-08-20T18:53:45.000Z2025-09-02T15:27:41.000Z

ElijahR.61378 (Customer) asked a question.

August 20, 2025 at 6:53 PM
Getting 400 error when following direct authentication with OOB MFA guide

I've been attempting to following the auth flow described here:

https://developer.okta.com/docs/guides/configure-direct-auth-grants/dmfaoobov/main/

However, when I follow the steps exactly, I get this status code 400 response when doing the initial ROPC authentication:

{

    "error": "invalid_grant",

    "error_description": "Resource owner password credentials authentication denied by sign on policy."

}

 

I am expecting a 403 with a mfa token as described in the guide.

 

When I tried to look around for why, I see older posts suggesting that ROPC doesn't support MFA, directly contradicting this guide. When I change the sign-on policy to only require password, the request goes through and I receive my access and id token.

Any suggestions and hints as to what the problem could be would be very appreciated.

  • 5 answers
  • 381 views

  • RohitU.50441 (Trevonix)

    @ElijahR.61378 (Customer)​ 

    You will have to enable password grant In the access policies.

     

    Navigate to Security >API > Default Authorization server, switch to access policies option. Make sure the password grant is allowed in the policy.

     

     

    Expand Post

  • ElijahR.61378 (Customer)

    Thank you for the quick response. Unfortunately, it's already enabled.

    The default access policy for the default authorization has the following enabled: client credentials, authorization code, device authorization, OTP, OOB, MFA OTP, MFA OOB, and Resource Owner Password.

     

    The application also has all grant types enabled, to rule out anything there.

     

    Sign on policy is:

     

    Access:Allowed with password + another factorYour org's authenticators that satisfy this requirement:

    Password

    and

    Additional factor types

    Okta Verify - TOTP or Okta Verify - FastPass

    Your org allows users to verify their identity with a knowledge factor (Password) before the possession factor. To change this, protect against password-based attacks in Security > General 

    Possession factor constraints:Require user interactionAuthentication methods:Allow any method that can be used to meet the requirementPassword re-authentication frequency is:Every 2 hoursOther authenticator re-authentication frequency:Every 1 hours

     

    Is there anything else I can be missing?

     

    Expand Post

  • RohitU.50441 (Trevonix)

    @ElijahR.61378 (Customer)​ can you check if the user is already enrolled with the atleast one factor you are requesting for? And see if that works

  • ElijahR.61378 (Customer)

    @RohitU.50441 (Trevonix)​ My user is enrolled in Okta Verify. Okta Verify and Email are set up as optional in the MFA policy.

  • ElijahR.61378 (Customer)

    Is there anything else I should be trying or looking at? I would really appreciate any help on this - thank you.

This question is closed.
Loading
Getting 400 error when following direct authentication with OOB MFA guide