MFA bypassed only when Device Fingerprint is passed in RequestContext and not when passed in AuthenticationRequest #41
Comments
|
Hey @jmalickenexient sorry for the late response, i think i had my notifications set wrong on this repo. How is your login policy configured? |
|
@jmalickenexient Also, where are you using this library? Is this in the backend of a web app (controller or other code), or somewhere else? |
|
Hey @jmalickenexient! I dug into this a bit. The device fingerprint isn't used when remembering the device for MFA purposes, it is used to notify a user that a new device has been used to login in to your Org. The Device Token is used to remember the device (regards to MFA), see: https://developer.okta.com/docs/api/resources/authn/#request-parameters-for-primary-authentication We have a task to make this more obvious in our docs. |
|
We would still love to know a little bit more about your use-case ;) |
|
This is in a backend of a web app that's functioning as a proxy service for a mobile client. Use-case is also described in #13 |
First, thank you for updating the library to support headers for proxy clients! I think the implementation is close to complete, but I did notice a minor annoyance. Details follow:
Reproduction Steps
OBSERVED:
EXPECTED: The user should only have to MFA the first login attempt and once correctly passed MFA should not see MFA each and every login
Alternate Solution
Instead of passing a Header.xDeviceFingerprint(deviceFingerprint) to authenticate() as a RequestContext parameter, pass deviceFingerprint as part of the AuthenticationRequest parameter. Observe that MFA is correctly skipped in subsequent logins.
The text was updated successfully, but these errors were encountered: