Skip to content

feat: add mfa.stepUpWithPopup() for reactive MFA step-up via Universal Login#2524

Merged
tusharpandey13 merged 73 commits intomainfrom
feat/mfa-ul
Apr 22, 2026
Merged

feat: add mfa.stepUpWithPopup() for reactive MFA step-up via Universal Login#2524
tusharpandey13 merged 73 commits intomainfrom
feat/mfa-ul

Conversation

@tusharpandey13
Copy link
Copy Markdown
Contributor

@tusharpandey13 tusharpandey13 commented Feb 16, 2026
edited
Loading

Adds client-side mfa.stepUpWithPopup() that completes MFA step-up in a popup window using Auth0 Universal Login, without a full-page redirect.

How it works: When getAccessToken() throws MfaRequiredError, the app calls mfa.stepUpWithPopup({ audience }). A popup opens, the user completes MFA, and the resulting token is cached in the session and returned to the caller.

Changes

  • Added mfa.stepUpWithPopup() to client helpers
  • Added challengeMode?: "redirect" | "popup" to StartInteractiveLoginOptions
  • Added popup mode handling to handleCallback()
  • Updated getTokenSet, handleAccessToken to enable conditional scope merging
  • Added tests for all flows
  • Updated EXAMPLES.md with clear documentation.

Usage

try {
  const token = await getAccessToken({ audience: 'https://api.example.com' });
} catch (err) {
  if (err instanceof MfaRequiredError) {
    // Trigger popup MFA step-up
    const { token } = await mfa.stepUpWithPopup({
      audience: 'https://api.example.com'
    });
  }
}

@tusharpandey13
feat: mfa error bubbling support
877f488
@tusharpandey13
feat: add mfa example app and update docs
b59e97f
@tusharpandey13
Merge remote-tracking branch 'origin/main' into feat/mfa-base
248eca7
@tusharpandey13
chore: fix example app
d89cfa4
@tusharpandey13
chore: fix example app
deb5bdb
@tusharpandey13
chore: remove irrelevant code
c572c4a
@tusharpandey13
fix: use createHmac intead of createHash
0dbaffa
@tusharpandey13
docs: add readme for mfa example app
ec0d87b
@tusharpandey13
chore: lint
742724a
@tusharpandey13
chore: add AGENTS.md
b2f92e5
@tusharpandey13
Merge branch 'chore/agent-support' into feat/mfa-apis
7af2c3b
@tusharpandey13
feat: simplify mfa base implementation; move to a stateless design
e276681
@tusharpandey13
chore: fix tests and lint
dfb2467
@tusharpandey13
chore: remove irrelevant code
cfef8dd
@tusharpandey13
Merge branch 'feat/mfa-base' of https://github.com/auth0/nextjs-auth0
a02f859 
…into feat/mfa-apis
@tusharpandey13
feat: add types for mfa apis; move MfaContext type to types/mfa.ts file
db04501
@tusharpandey13
Merge branch 'main' of https://github.com/auth0/nextjs-auth0 into fea…
004c1dd 
…t/mfa-apis
@tusharpandey13
feat: add mfa api business logic + errors; update mfa types and const…
b4e1d0b 
…ants
@tusharpandey13
chore: remove irrelevant code; add return type for mfaVerify
30ae3e6
@tusharpandey13
feat: add server mfa client; update mfa business logic methods in aut…
6864537 
…h-client
@tusharpandey13
chore: lint
123b585
@tusharpandey13
feat: add mfa_token re-encryption in chained mfa usecase; move sessio…
ac7a1cf 
…n update logic to mfaVerify in auth-client, simplify impl
@tusharpandey13
chore: lint
4b56933
@tusharpandey13
feat: add final validation in mfaVerify
7278067
@tusharpandey13
feat: add mfa handlers; add mfa error handler helper
3ae876a
@tusharpandey13
feat: add mfa client helpers; refactor server mfa error handling
aab62e9
@tusharpandey13
Merge branch 'main' of https://github.com/auth0/nextjs-auth0 into fea…
6e1a368 
…t/mfa-base
@tusharpandey13
Merge branch 'feat/mfa-base' of https://github.com/auth0/nextjs-auth0
90cf945 
…into feat/mfa-apis
@tusharpandey13
feat: externalize internal mfa endpoints
4a4de9b
@tusharpandey13
fix: correctly handle jwe decryption errors
4f35380
@tusharpandey13
fix: rename stepUpWithPopup to challengeWithPopup
d58a283
@tusharpandey13
fix: rename returnStrategy to challengeMode
6bb2751
@tusharpandey13
Merge branch 'main' into feat/mfa-ul
84a6258 
Resolve conflicts:
- src/server/auth-client.ts: keep both challengeMode and appBaseUrl in OnCallbackContext
- src/server/auth-client.test.ts: add appBaseUrl to all onCallback context expectations
- EXAMPLES.md: keep MFA popup section from feat branch
@tusharpandey13
Merge remote-tracking branch 'origin/main' into feat/mfa-ul
17aed24
@tusharpandey13
Merge remote-tracking branch 'origin/main' into feat/mfa-ul
9033f45
@gyaneshgouraw-okta
Copy link
Copy Markdown
Contributor

gyaneshgouraw-okta commented Apr 19, 2026

@copilot Review changes in this PR

@auth0 auth0 deleted a comment from Copilot AI Apr 19, 2026
gyaneshgouraw-okta
gyaneshgouraw-okta reviewed Apr 19, 2026
View reviewed changes
Comment thread src/client/helpers/get-access-token.ts
Comment thread src/server/auth-client.ts
Comment thread EXAMPLES.md Outdated
@gyaneshgouraw-okta
Copy link
Copy Markdown
Contributor

gyaneshgouraw-okta commented Apr 19, 2026

The PR in general looks well structured. Have added few minor comments.

nandan-bhat
nandan-bhat reviewed Apr 21, 2026
View reviewed changes
Comment thread src/server/auth-client.ts Outdated
Comment thread src/client/mfa/index.ts
Comment thread src/server/auth-client.ts Outdated
@nandan-bhat
Copy link
Copy Markdown
Contributor

nandan-bhat commented Apr 22, 2026

LGTM

@tusharpandey13 tusharpandey13 merged commit 9d0b615 into main Apr 22, 2026
9 checks passed
@tusharpandey13 tusharpandey13 deleted the feat/mfa-ul branch April 22, 2026 17:43
@tusharpandey13 tusharpandey13 mentioned this pull request Apr 22, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nandan-bhat nandan-bhat nandan-bhat approved these changes

@gyaneshgouraw-okta gyaneshgouraw-okta gyaneshgouraw-okta left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tusharpandey13 @codecov-commenter @gyaneshgouraw-okta @nandan-bhat