Implementing MFA Authentication with Client SDKs
Client SDK
Install SDK
Import and initialize SDK
Parameters:
baseUrl
: Custom domain that must be configured to manage token response in cookies. This makes sure every request to our service is through your custom domain, preventing accidental domain blockages.baseStaticUrl
: Custom domain to override the base URL that is used to fetch static files.persistTokens
: Controls whether session tokens are stored in browser localStorage. Enabled by default and accessible viagetToken()
. Set tofalse
to avoid client-side storage of tokens to reduce XSS risk.sessionTokenViaCookie
: Controls whether the session token is stored in a cookie instead of localStorage. IfpersistTokens
is true, then by default, the token is stored in localStorage. Set this totrue
to store the token in a JS cookie instead.storeLastAuthenticatedUser
: Determines if the last authenticated user's info is saved in localStorage. Enabled by default and accessible viagetUser()
. Set tofalse
to disable this behavior.keepLastAuthenticatedUserAfterLogout
: Controls whether user info is kept after logout. Disabled by default. Set totrue
to store user data on logout.
OIDC Configuration
If you're using our SDK as an OIDC client with our Federated Apps, you can initialize the oidcConfig
parameter with the following items:
applicationId
: This is the application id, that can be found within the settings of your Federated ApplicationredirectUri
: This is the url that will be redirected to if the user is unauthenticated. The default redirect URI will be used if not provided.scope
: This is a string of the scopes that the OIDC client will request from Descope. This should be one string value with spaces in between each scope. The default scopes are:'openid email roles descope.custom_claims offline_access'
Sign-Up, Sign-in, or Sign-Up-Or-In
The next step after adding the Descope client SDK within your application is to utilize one of the Sign-Up, Sign-in, or Sign-Up-Or-In functions for the supported authentication methods. Once you have successfully received a JWT from the authentication method, you should store it for the next step in the MFA process.
MFA the user's authentication
Now that you have a valid JWT for your authenticated user, you can utilize Sign-in or Sign-Up-Or-In for one of the supported
authentication methods, adding the user Login Options. This example will focus on the mfa
parameter
of the Login Options; however, for further details on Login Options, navigate here.
The below example implements MFA authentication via OTP Sign-In after the user successfully signed up via TOTP Sign-Up. After a successful MFA sign-in, you will need to process the verification code via OTP Verify. After verifying, the user will then have MFA authentication.