mfa

package
v0.229.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 27, 2026 License: MIT Imports: 4 Imported by: 0

Documentation

Overview

Package mfa implements the in-memory state for Auth0's MFA challenge dance.

Auth0 enforces MFA via a two-step /oauth/token flow:

  1. The initial password / password-realm request returns 403 { "error": "mfa_required", "mfa_token": "..." } instead of minting.
  2. The client re-calls /oauth/token with one of the MFA grants (mfa-otp, mfa-oob, mfa-recovery-code) and presents the user's factor.

Whether MFA is required at all is controlled by a runtime flag mutated via /admin0/mfa-required. The accepted challenges are fixed canned values (matching the spirit of /passwordless/verify accepting "000000"): 

OTP            = "123456"
BindingCode    = "123456"
RecoveryCode   = "ABCDEFGHIJKLMNOP"

Index

Constants

View Source 
const (
	AcceptedOTP          = "123456"
	AcceptedBindingCode  = "123456"
	AcceptedRecoveryCode = "ABCDEFGHIJKLMNOP"
)

Fixed canned challenges accepted by the mock. Tests can rely on them.

View Source 
const DefaultTokenTTL = 10 * time.Minute

DefaultTokenTTL is how long an issued mfa_token stays valid before the matching challenge becomes unredeemable.

Variables

This section is empty.

Functions

This section is empty.

Types

type Context 

type Context struct {
	ClientID string
	Audience string
	Scope    string
	Subject  string
	Realm    string // Empty for plain password grant.
	// contains filtered or unexported fields
}

Context carries the token-issuance state from step 1 (the 403 response) to step 2 (the MFA grant exchange) so the second request can mint a token equivalent to what the first would have produced.

type Option added in v0.227.0 

type Option func(*Store)

Option configures a Store at construction.

func WithNow added in v0.227.0 

func WithNow(now func() time.Time) Option

WithNow overrides the time source used for mfa_token expiry. Wire to clock.Controlled.Now for runtime control over the MFA challenge window. Nil is silently ignored.

type Store 

type Store struct {
	// contains filtered or unexported fields
}

Store holds active mfa_tokens and the global "MFA required" flag. Safe for concurrent use.

func NewStore 

func NewStore(opts ...Option) *Store

NewStore returns an empty Store with the default TTL and MFA disabled.

func (*Store) Consume 

func (s *Store) Consume(token string) (Context, bool)

Consume returns the Context registered against an mfa_token and removes it (single-use). Returns false if the token is unknown or expired.

func (*Store) IsRequired 

func (s *Store) IsRequired() bool

IsRequired reports whether MFA enforcement is currently on.

func (*Store) Issue 

func (s *Store) Issue(ctx Context) string

Issue creates a fresh mfa_token bound to ctx, valid for the configured TTL. Returns the opaque token string the client should present in step 2.

func (*Store) Reset 

func (s *Store) Reset()

Reset clears every issued mfa_token AND turns enforcement off.

func (*Store) SetRequired 

func (s *Store) SetRequired(b bool)

SetRequired toggles the global flag. When true, the password and password-realm grants return 403 mfa_required + an mfa_token instead of minting a token directly.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.