okta-oidc-ios icon indicating copy to clipboard operation
okta-oidc-ios copied to clipboard

Published 20 hours ago verified publisher icon okta

MFA authentication with sessionToken broken

Open programmarchy opened this issue 3 years ago • 10 comments

It does not seem possible to authenticate with MFA using okta-auth-swift and okta-oidc-ios.

I'm able to get a sessionToken after successfully verifying MFA with a passcode (using Google Authenticator), but then the subsequent call to OktaOidc.authenticate(withSessionToken:) fails with the following error:

"Authorization Error: Unexpected response format while retrieving authorization code."

To replicate these steps:

  • Clone https://github.com/okta/samples-ios/tree/master/custom-sign-in
  • Update Okta.plist
  • Update Okta domain
  • Run the app; notice you can "Sign In" but stateManager is nil and error is set to message above.

I have the following settings configured:

1-google-auth-enabled 2-app-level-auth 3-org-level-auth

programmarchy avatar Apr 06 '21 19:04 programmarchy

Hi @programmarchy,

Thanks for your question! I'm going to assign this to someone on our team who can help with this library.

laura-rodriguez avatar Apr 06 '21 20:04 laura-rodriguez

Internal ref: OKTA-385140

laura-rodriguez avatar Apr 06 '21 20:04 laura-rodriguez

@laura-rodriguez I have some additional information that may be helpful. Here's where the error is created:

Screen Shot 2021-04-06 at 3 26 35 PM

programmarchy avatar Apr 06 '21 20:04 programmarchy

@laura-rodriguez Another update --

If I delete my app-level MFA sign on rule, and leave only the org-level sign on rule, then things work as expected.

programmarchy avatar Apr 06 '21 21:04 programmarchy

@programmarchy What is defined in Multifactor -> Factor Enrollment. Have you added there some custom rule?

oleggnidets-okta avatar Apr 07 '21 11:04 oleggnidets-okta

@oleggnidets-okta I'm pretty sure I had set "Google Authenticator" to "Required" for enrollment, but I actually can't double check that currently because I managed to lock out all of my users (including admin) during testing.

programmarchy avatar Apr 07 '21 14:04 programmarchy

Never mind, I can reproduce the issue. Now I should bring up and discuss this issue to our team.

oleggnidets-okta avatar Apr 07 '21 14:04 oleggnidets-okta

Hi @programmarchy @bdruth, I have discussed the issue with team and a guy who developed OktaAuthSdk.

Indeed, there's no way to intercept MFA challenge when you exchange sessionToken. OIDC does the silent exchange and this is the whole idea. If you want to handle MFA on app level then you should switch to SIW (sign-in widget) flow.

The solution is deleting app-level MFA sign-on rule and leave only the Org-level sign-on rule.

Related Android issue.

oleggnidets-okta avatar Apr 09 '21 10:04 oleggnidets-okta

@oleggnidets-okta Thanks. It would be helpful if the Okta documentation clearly explained this, and it seems like the Okta admin interface should disable or at least present the user a warning when adding an app-level MFA rule for OIDC providers.

programmarchy avatar Apr 14 '21 04:04 programmarchy

@programmarchy I'm facing a similar issue. I don't see I've any app-level rule added, but I might be wrong. Can you help me understand how to add an org-level rule and remove any app-level rules? Thanks.

ahujamanish avatar Oct 21 '21 04:10 ahujamanish