With the multiOptionalFactorEnroll flag set to true, users prompted to enroll in MFA should be kicked back to the enrollment screen to enroll additional factors after successfully enrolling one factor. This works for the regular sign in flow but not when a recoveryToken is specified.
This issue was raised separately by two clients (see 01205997 and 01208760). We have HONOR_MFA_ENROLL_OPTION_AFTER_STATETOKEN_BOOTSTRAP enabled, but it doesn't have any affect on recovery tokens.
I've overloaded verifyRecoveryToken with the following to force the multiOptionalFactorEnroll flag to be sent to /authn/recovery/token :
var config = OktaUtil.getSignInWidgetConfig();
config.features.multiOptionalFactorEnroll = true;
var oktaSignIn = new OktaSignIn(config);
oktaSignIn.authClient.originalVerifyRecoveryToken = oktaSignIn.authClient.verifyRecoveryToken;
oktaSignIn.authClient.verifyRecoveryToken = function (opts) {
opts.options = {
"multiOptionalFactorEnroll": true
};
return this.originalVerifyRecoveryToken(opts);
}
oktaSignIn.renderEl({ el: '#okta-login-container' },
OktaUtil.completeLogin,
function(error) {
// Logs errors that occur when configuring the widget.
// Remove or replace this with your own custom error handler.
console.log(error.message, error);
}
);
I verified that this options block is accepted by the API with the following:
{"errorCode":"E0000003","errorSummary":"The request body was not well-formed.","errorLink":"E0000003","errorId":"oaeyuM_8jm_RLuetwI6klM8Iw","errorCauses":[]}
Expected behavior
A user that is not enrolled in MFA should be prompted to enroll. After they complete enrollment of one factor, they should be given the option to enroll in other factors or click the Finish button to redirect.
What went wrong?
Instead of prompting the user to enroll in additional factors, the Sign-In Widget ignores that multiOptionalFactorEnroll has been set to true and redirects immediately.
Steps to reproduce
Embedded screencasts:
Normal login flow (multiOptionalFactorEnroll: true works as expected):
a. Reset all factors
b. Reset to temp password
c. Login with temp password
Recovery flow (multiOptionalFactorEnroll: true is ignored):
a. Reset all factors
b. Reset with email recovery link
c. Login with email recovery link
I'm submitting a
Background info
With the multiOptionalFactorEnroll flag set to true, users prompted to enroll in MFA should be kicked back to the enrollment screen to enroll additional factors after successfully enrolling one factor. This works for the regular sign in flow but not when a recoveryToken is specified.
This issue was raised separately by two clients (see 01205997 and 01208760). We have HONOR_MFA_ENROLL_OPTION_AFTER_STATETOKEN_BOOTSTRAP enabled, but it doesn't have any affect on recovery tokens.
I've overloaded verifyRecoveryToken with the following to force the multiOptionalFactorEnroll flag to be sent to /authn/recovery/token :
I verified that this options block is accepted by the API with the following:
which responds with:
and verified that unknown parameters are refused by the API with the following:
which responds with:
Expected behavior
A user that is not enrolled in MFA should be prompted to enroll. After they complete enrollment of one factor, they should be given the option to enroll in other factors or click the Finish button to redirect.
What went wrong?
Instead of prompting the user to enroll in additional factors, the Sign-In Widget ignores that multiOptionalFactorEnroll has been set to true and redirects immediately.
Steps to reproduce
Embedded screencasts:
Normal login flow (multiOptionalFactorEnroll: true works as expected): a. Reset all factors b. Reset to temp password c. Login with temp password
Recovery flow (multiOptionalFactorEnroll: true is ignored): a. Reset all factors b. Reset with email recovery link c. Login with email recovery link
Your environment