I was referring to what I was asking before: 1) if the user needs to be enrolled into 2FA now, before this feature is built into it, and before Sphinx redirects the user anywhere with a code or token, it would be good to be able to redirect the user to a separate 2FA registration page, plus 2) once the user has completed self-registration and the account has been created in a disabled state, again without redirecting it with a token, can the user be redirected to another information page? - self-registration is a single place in this process, where the user should not be treated as authenticated and no tokens should be issued.
So, in 1) I would put the user through a separate registration for 2FA and in 2) will terminate this process without authenticating the user and without issuing any tokens. Next, the user will not be able to sign in until after the account has been manually enabled by admins. But once it has been, then the normal processing would work, with the user being authenticated (twice, with 2FA, which Sphinx already does) and normally redirected as per Client setup, with a token, to the normal redirect URL.
But you can do that already now. Yes, token will be created and user will be "logged in", but the token will not have the amr claim. If you reject tokens without amr claim, it will act as if your user is not logged in.
In the redirect URL Sphinx calls after login, just check for that and redirect the user to a 2fa registration if amr is not in the token.
Just reconfigured the Demo Simple Server for 2FA, but after signing with a code prompt, the demo app displays a JWT without his amr claim:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3Q6MjAwMVwvdG1zXC9zcGhpbngiLCJhdWQiOiJ3ZWIiLCJleHAiOjE3MzI5NTE0NzgsImlhdCI6MTczMjk1MTE3OCwiZW1haWxfdmVyaWZpZWQiOnRydWUsInN1YiI6IjNhMTY4ZWEzLWZkMGQtNDFiMC1hOThjLTY3M2Q3NWFmMTJiYiIsImp0aSI6ImRjNGI0ODg1LWI0MzEtNDYzYi04YzQxLTQzYTgwYzMwNjI3YyIsImVtYWlsIjoiaGFuc0B0bXNzb2Z0d2FyZS5sb2NhbCIsIm5vbmNlIjoiVHZnVkFDQU1lMDBhclprYTFRcVREMDVSUlhQZVRNTmg3dlJTSEFwSFFiSSIsInRlbmFudElkIjoiSGFucyJ9.b4kwNfe8O7Vg8SRY2YReHnqyAIEZT4ge6LInNkLcn6s
Is this supposed to be automatic, or does it need to be added in the TokenConfig?
BTW, if I specify nonce, it's returned to me back in the id_token, which is great, but can I also pass in any additional parameters and also be able to see them in any of the Sphinx events in the Server DataModule?
Yes, in the TSphinxConfig.OnConfigureToken you have the opportunity to add arbitrary claims to either access token or id token.
Indeed, it must be added manually by you, for now. You can check for User.TwoFactorEnabled to know if the user is required to login with 2fa.
For the record, we are working right now on an improvement in Sphinx where you will be able to force users to configure and login with two factor authentication, and Sphinx will automatically show the QR Code for users to configure the authenticator.
Are you sure the above code works?
Maybe you should first break your code into small parts to check which parts work, step by step. You should be able to add a JSON array to a claim with no problem.
