MFA with the password grant

dan · 4 Nov 2021, 13:44

Can I use MFA with the password grant (resource owner password credentials grant)?

dan · 4 Nov 2021, 13:47

Yes. While we recommend the Authorization Code grant is almost all situations, there are times when you need the password grant, and FusionAuth's MFA works with it just fine.

When you begin the password grant, if the user has MFA set up, you won't receive the JWT on successful authentication. Instead you'll receive JSON like this:

{"error":"two_factor_required","error_description":"The user has enabled two factor authentication.","two_factor_id":"gDNV2_fFtl7vhMV5_5bFJUL3ZyZ5Ine69n0xWDXKEGw"}

You'll then need to use the provided two_factor_id to complete the MFA as documented here: https://fusionauth.io/docs/v1/tech/apis/login/#complete-multi-factor-authentication

That might look something like this:

curl https://local.fusionauth.io/api/two-factor/login -H 'content-type: application/json' -d '{"twoFactorId": "gDNV2_fFtl7vhMV5_5bFJUL3ZyZ5Ine69n0xWDXKEGw", "code": "487156"}'

At that time you'll get a JWT and normal successful login response.

admin b · 10 Jun 2024, 13:38

Thanks for addressing this use case. Your proposal, however, runs counter to any standardization effort: Long live OAuth!

A better approach would be to switch from a password grant to the use of authorization codes (instead of passwords) to obtain the access token. This is fully within the OAuth framework and does not introduce fusionauth-specific hacks into the solution.

We have created as simple html page that redirects to the fusionauth authorize endpoint with grant_type=authorization_code. The browser handles MFA as usual. Upon redirecting to this page, the page can harvest the authorization code for the user to copy. From there proceed with into authorization code in place of a password.

PS: Long live OAuth!