Expanding Flexible Factors Grant Android Support

[utkrishtsahu]

Summary:

Adds comprehensive Multi-Factor Authentication (MFA) support to the Android SDK, enabling TOTP, SMS, Email, and recovery code authentication flows.

Changes

New Public APIs:

1. AuthenticationAPIClient.mfa(mfaToken): MfaApiClient - Factory method for MFA operations

2. MfaApiClient - Complete MFA client with methods for:

• getAvailableAuthenticators() - List available MFA factors
• enrollTotp() / enroll() - Enroll in TOTP or OOB authenticators
• challenge() - Request MFA challenges
• verifyWithOtp() / verifyWithOob() / verifyWithRecoveryCode() - Complete authentication

New Error Types:

MfaException sealed class hierarchy for type-safe MFA error handling
Specific exceptions: MfaListAuthenticatorsException, MfaEnrollmentException, MfaChallengeException, MfaVerifyException, MfaRequiredException
Includes fallback error codes aligned

New Data Models:
Authenticator, Challenge, EnrollmentChallenge, TotpEnrollmentChallenge, OobEnrollmentChallenge

Endpoints:

• GET /mfa/authenticators - List factors
• POST /mfa/associate - Enroll in MFA
• POST /mfa/challenge - Request challenge
• POST /oauth/token - Verify with grant types: mfa-otp, mfa-oob, mfa-recovery-code.

Testing

Tested on physical device with sample app.
Unit Test yet to write.
Sample app includes comprehensive MFA workflow examples

Reference Ticket

https://auth0team.atlassian.net/jira/software/c/projects/SDK/boards/2607?assignee=712020%3A746f4583-dada-45dc-8f76-07f273104490&selectedIssue=SDK-6405

[pmathew92]

This is not the correct way. Use the addValidator method of the Request class to handle the validation logic

[NandanPrabhu]

default error code needs to be removed as discussed

[pmathew92]

Rename it to mfaClient

[pmathew92]

Keep this as part of the MfaRequirements error body and not separate.

[pmathew92]

Hope the name is consistent with Auth0.Swift implementation

[pmathew92]

Why make them internal ?

[Copilot]

Pull request overview

This PR adds comprehensive Multi-Factor Authentication (MFA) support to the Android SDK, enabling developers to implement TOTP, SMS, Email, and recovery code authentication flows.

Changes:

• Introduced new MfaApiClient with methods for listing authenticators, enrollment, challenge, and verification operations
• Added MfaException sealed class hierarchy for type-safe MFA error handling with specific exceptions for different operations
• Extended AuthenticationException and CredentialsManagerException to expose MFA tokens and requirements for continuing MFA flows

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
MfaRequirements.kt	New data model representing MFA requirements returned by Auth0 (challenge/enroll types)
Authenticator.kt	New data model representing enrolled MFA authenticator details
MfaException.kt	New sealed class hierarchy for MFA-specific exceptions with fallback error codes
MfaApiClient.kt	New API client providing methods for MFA operations (list, enroll, challenge, verify)
AuthenticationAPIClient.kt	Added factory method mfa() to create MfaApiClient instances; exposed internal error adapter
AuthenticationException.kt	Added mfaToken and mfaRequirements properties to support MFA flow continuation
CredentialsManagerException.kt	Added MFA_REQUIRED error code and properties for MFA token/requirements
CredentialsManager.kt	Added MFA error detection and exception wrapping in credential renewal flows
SecureCredentialsManager.kt	Added MFA error detection and exception wrapping in credential renewal flows

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new mfaToken and mfaRequirements properties in CredentialsManagerException are missing the @JvmName annotation. If Java callers want to access these properties, they would need to use getMfaToken() and getMfaRequirements(), but since these are custom getters, the Java method names might not be ideal. Consider adding @JvmName annotations for consistency with Java interoperability.

[Copilot]

The MfaRequiredException.mfaRequirements property returns Map<String, Any>? instead of the more type-safe MfaRequirements class that exists in the codebase. This forces consumers to work with untyped maps when a proper data class is available, reducing type safety and developer experience.

Suggested change

	public val mfaRequirements: Map<String, Any>?
	get() = getValue("mfa_requirements") as? Map<String, Any>
	public data class MfaRequirements(
	val enroll: List<String>?,
	val challenge: List<String>?
	)
	public val mfaRequirements: MfaRequirements?
	get() {
	val raw = getValue("mfa_requirements") as? Map<*, *> ?: return null
	val enroll = (raw["enroll"] as? List<*>)?.filterIsInstance<String>()
	val challenge = (raw["challenge"] as? List<*>)?.filterIsInstance<String>()
	return MfaRequirements(enroll = enroll, challenge = challenge)
	}

[pmathew92]

Agree. Here instead of the Map we can return the defined MfaRequirements instance

[Copilot]

The enroll method has complex parameter validation logic based on factorType, but there's no input validation for required parameters. For example, when factorType is "phone", phoneNumber should be required but there's no check to ensure it's provided. This could lead to API errors that would be better caught earlier with proper validation.

[Copilot]

The enroll method uses locale-sensitive lowercase() for factorType comparison. This could lead to unexpected behavior with Turkish or other locales where lowercase transformations differ. Use factorType.lowercase(Locale.ROOT) or factorType.lowercase(Locale.ENGLISH) for consistent behavior across all locales.

[Copilot]

The documentation example has extra whitespace before the comment text on line 160. This formatting inconsistency should be corrected to maintain code quality standards.

Suggested change

	* // Code sent, now prompt user for the OTP they received
	* // Code sent, now prompt user for the OTP they received

[Copilot]

The getAvailableAuthenticators method throws MfaListAuthenticatorsException for validation errors, which is inconsistent with standard Kotlin/Java practices. SDK validation errors should typically throw IllegalArgumentException or similar, while MfaListAuthenticatorsException should be reserved for API/network errors that occur during request execution. This creates confusion as the exception can be thrown synchronously (validation) or asynchronously (API error).

[Copilot]

There is code duplication in the MFA error handling across CredentialsManager and SecureCredentialsManager. The same MFA detection and exception creation logic appears in multiple places (lines 547-558, 674-685, 915-926, 1074-1085). Consider extracting this into a shared helper method to reduce duplication and improve maintainability.

[Copilot]

The companion object visibility is changed from private to internal, which expands the API surface. Unless there's a specific requirement for internal access to createErrorAdapter, this change increases coupling between internal components and may make future refactoring more difficult.

Suggested change

	internal fun createErrorAdapter(): ErrorAdapter<AuthenticationException> {
	private fun createErrorAdapter(): ErrorAdapter<AuthenticationException> {

[Copilot]

The documentation example at line 176 shows calling "verifyOtp" but the actual method name is "verifyWithOtp". This inconsistency in the documentation will confuse developers trying to use the API.

Suggested change

	* val credentials = mfaClient.verifyOtp("123456").await()
	* val credentials = mfaClient.verifyWithOtp("123456").await()

[Copilot]

The AuthenticationException.mfaRequirements property performs JSON serialization/deserialization on every access, which is inefficient if the property is accessed multiple times. Consider caching the deserialized MfaRequirements object in a lazy-initialized backing field to avoid repeated conversions.

[pmathew92]

Create a new Adapter for this class instead of reusing the AuthenticationException one. All errors from this set of APIs should return the new error type

[pmathew92]

factorsAllowed is not an optional parameter.

[pmathew92]

Filtering should be done by the SDK

[pmathew92]

Would suggest your make this a private method and expose public methods for individual factors like what you have written for enrollTotp. This method doesn't look DX friendly. I think web and Swift is also exposing individual public APIs

[pmathew92]

AuthenticationRequest is bound to an AuthenticationException . Since we will have a completely new error class here , I would suggest we use the Request interface. This will also be consistent with other methods in this class

[pmathew92]

I don't think we would need separate error classes for different APIs. A single MfaException class should suffice IMO. Check with @NandanPrabhu and decide on a single class

[pmathew92]

Lets create a single Exception class

[pmathew92]

where is this MfaRequiredException being used . Doesn't the existing login APIs return AuthenticationException. So users would catch it and check for MfaRequired error and proceed with Mfa flow

[pmathew92]

lets return token as part of the MfaRequirements

[pmathew92]

Keep mfaToken as part of MfaRequirements

[pmathew92]

Lets add mfaToken also as part of this