MFA authentication with sessionToken broken

[programmarchy]

It does not seem possible to authenticate with MFA using okta-auth-swift and okta-oidc-ios.

I'm able to get a sessionToken after successfully verifying MFA with a passcode (using Google Authenticator), but then the subsequent call to OktaOidc.authenticate(withSessionToken:) fails with the following error:

"Authorization Error: Unexpected response format while retrieving authorization code."

To replicate these steps:

• Clone https://github.com/okta/samples-ios/tree/master/custom-sign-in
• Update Okta.plist
• Update Okta domain
• Run the app; notice you can "Sign In" but stateManager is nil and error is set to message above.

I have the following settings configured:

[laura-rodriguez]

Hi @programmarchy,

Thanks for your question! I'm going to assign this to someone on our team who can help with this library.

[laura-rodriguez]

Internal ref: OKTA-385140

[programmarchy]

@laura-rodriguez I have some additional information that may be helpful. Here's where the error is created:

[programmarchy]

@laura-rodriguez Another update --

If I delete my app-level MFA sign on rule, and leave only the org-level sign on rule, then things work as expected.

[oleggnidets-okta]

@programmarchy What is defined in Multifactor -> Factor Enrollment. Have you added there some custom rule?

[programmarchy]

@oleggnidets-okta I'm pretty sure I had set "Google Authenticator" to "Required" for enrollment, but I actually can't double check that currently because I managed to lock out all of my users (including admin) during testing.

[oleggnidets-okta]

Never mind, I can reproduce the issue. Now I should bring up and discuss this issue to our team.

[oleggnidets-okta]

Hi @programmarchy @bdruth,
I have discussed the issue with team and a guy who developed OktaAuthSdk.

Indeed, there's no way to intercept MFA challenge when you exchange sessionToken. OIDC does the silent exchange and this is the whole idea. If you want to handle MFA on app level then you should switch to SIW (sign-in widget) flow.

The solution is deleting app-level MFA sign-on rule and leave only the Org-level sign-on rule.

Related Android issue.

[programmarchy]

@oleggnidets-okta Thanks. It would be helpful if the Okta documentation clearly explained this, and it seems like the Okta admin interface should disable or at least present the user a warning when adding an app-level MFA rule for OIDC providers.

[ahujamanish]

@programmarchy I'm facing a similar issue. I don't see I've any app-level rule added, but I might be wrong. Can you help me understand how to add an org-level rule and remove any app-level rules? Thanks.