Expanding Flexible Factors Grant Android Support

[utkrishtsahu]

Summary:

Adds comprehensive Multi-Factor Authentication (MFA) support to the Android SDK, enabling TOTP, SMS, Email, Push, and recovery code authentication flows.

Changes

New Public APIs:

1 AuthenticationAPIClient.mfaClient(mfaToken): MfaApiClient - Factory method for MFA operations

2 MfaApiClient - Complete MFA client with methods for:

-getAuthenticators(factorsAllowed) - List available MFA authenticators filtered by allowed factors
-enroll(MfaEnrollmentType) - Unified enrollment for Phone, Email, OTP, and Push
-challenge(authenticatorId) - Request MFA challenge for an enrolled authenticator
-verify(MfaVerificationType) - Unified verification for OTP, OOB, and RecoveryCode

New Error Types:

-MfaException sealed class hierarchy for type-safe MFA error handling
-Specific exceptions: MfaListAuthenticatorsException, MfaEnrollmentException, MfaChallengeException, MfaVerifyException
-MfaRequiredErrorPayload for extracting MFA requirements from AuthenticationException
-All exceptions preserve original cause for debugging

New Data Models:

-Authenticator, Challenge
-EnrollmentChallenge sealed class: MfaEnrollmentChallenge, OobEnrollmentChallenge, TotpEnrollmentChallenge, RecoveryCodeEnrollmentChallenge
-MfaEnrollmentType sealed class: Phone, Email, Otp, Push
-MfaVerificationType sealed class: Otp, Oob, RecoveryCode

Endpoints:

-GET /mfa/authenticators - List factors
-POST /mfa/associate - Enroll in MFA
-POST /mfa/challenge - Request challenge
-POST /oauth/token - Verify with grant types: mfa-otp, mfa-oob, mfa-recovery-code

Testing
-Tested on physical device with sample app
-Unit tests for MfaApiClient and exception handling
-Sample app includes comprehensive MFA workflow examples

Reference Ticket
https://auth0team.atlassian.net/jira/software/c/projects/SDK/boards/2607?assignee=712020%3A746f4583-dada-45dc-8f76-07f273104490&selectedIssue=SDK-6405

[pmathew92]

This is not the correct way. Use the addValidator method of the Request class to handle the validation logic

[NandanPrabhu]

default error code needs to be removed as discussed

[pmathew92]

Rename it to mfaClient

[pmathew92]

Keep this as part of the MfaRequirements error body and not separate.

[pmathew92]

Hope the name is consistent with Auth0.Swift implementation

[pmathew92]

Why make them internal ?

[Copilot]

Pull request overview

This PR adds comprehensive Multi-Factor Authentication (MFA) support to the Android SDK, enabling developers to implement TOTP, SMS, Email, and recovery code authentication flows.

Changes:

• Introduced new MfaApiClient with methods for listing authenticators, enrollment, challenge, and verification operations
• Added MfaException sealed class hierarchy for type-safe MFA error handling with specific exceptions for different operations
• Extended AuthenticationException and CredentialsManagerException to expose MFA tokens and requirements for continuing MFA flows

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
MfaRequirements.kt	New data model representing MFA requirements returned by Auth0 (challenge/enroll types)
Authenticator.kt	New data model representing enrolled MFA authenticator details
MfaException.kt	New sealed class hierarchy for MFA-specific exceptions with fallback error codes
MfaApiClient.kt	New API client providing methods for MFA operations (list, enroll, challenge, verify)
AuthenticationAPIClient.kt	Added factory method mfa() to create MfaApiClient instances; exposed internal error adapter
AuthenticationException.kt	Added mfaToken and mfaRequirements properties to support MFA flow continuation
CredentialsManagerException.kt	Added MFA_REQUIRED error code and properties for MFA token/requirements
CredentialsManager.kt	Added MFA error detection and exception wrapping in credential renewal flows
SecureCredentialsManager.kt	Added MFA error detection and exception wrapping in credential renewal flows

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new mfaToken and mfaRequirements properties in CredentialsManagerException are missing the @JvmName annotation. If Java callers want to access these properties, they would need to use getMfaToken() and getMfaRequirements(), but since these are custom getters, the Java method names might not be ideal. Consider adding @JvmName annotations for consistency with Java interoperability.

[Copilot]

The MfaRequiredException.mfaRequirements property returns Map<String, Any>? instead of the more type-safe MfaRequirements class that exists in the codebase. This forces consumers to work with untyped maps when a proper data class is available, reducing type safety and developer experience.

Suggested change

	public val mfaRequirements: Map<String, Any>?
	get() = getValue("mfa_requirements") as? Map<String, Any>
	public data class MfaRequirements(
	val enroll: List<String>?,
	val challenge: List<String>?
	)
	public val mfaRequirements: MfaRequirements?
	get() {
	val raw = getValue("mfa_requirements") as? Map<*, *> ?: return null
	val enroll = (raw["enroll"] as? List<*>)?.filterIsInstance<String>()
	val challenge = (raw["challenge"] as? List<*>)?.filterIsInstance<String>()
	return MfaRequirements(enroll = enroll, challenge = challenge)
	}

[pmathew92]

Agree. Here instead of the Map we can return the defined MfaRequirements instance

[Copilot]

The enroll method has complex parameter validation logic based on factorType, but there's no input validation for required parameters. For example, when factorType is "phone", phoneNumber should be required but there's no check to ensure it's provided. This could lead to API errors that would be better caught earlier with proper validation.

[Copilot]

The enroll method uses locale-sensitive lowercase() for factorType comparison. This could lead to unexpected behavior with Turkish or other locales where lowercase transformations differ. Use factorType.lowercase(Locale.ROOT) or factorType.lowercase(Locale.ENGLISH) for consistent behavior across all locales.

[Copilot]

The documentation example has extra whitespace before the comment text on line 160. This formatting inconsistency should be corrected to maintain code quality standards.

Suggested change

	* // Code sent, now prompt user for the OTP they received
	* // Code sent, now prompt user for the OTP they received

[Copilot]

The getAvailableAuthenticators method throws MfaListAuthenticatorsException for validation errors, which is inconsistent with standard Kotlin/Java practices. SDK validation errors should typically throw IllegalArgumentException or similar, while MfaListAuthenticatorsException should be reserved for API/network errors that occur during request execution. This creates confusion as the exception can be thrown synchronously (validation) or asynchronously (API error).

[Copilot]

There is code duplication in the MFA error handling across CredentialsManager and SecureCredentialsManager. The same MFA detection and exception creation logic appears in multiple places (lines 547-558, 674-685, 915-926, 1074-1085). Consider extracting this into a shared helper method to reduce duplication and improve maintainability.

[utkrishtsahu]

The duplication is intentional for clarity at each call site. The duplicated block is only ~10 lines and each location has different surrounding error handling. We can consider extracting a helper in a future refactoring PR if needed.

[Copilot]

The companion object visibility is changed from private to internal, which expands the API surface. Unless there's a specific requirement for internal access to createErrorAdapter, this change increases coupling between internal components and may make future refactoring more difficult.

Suggested change

	internal fun createErrorAdapter(): ErrorAdapter<AuthenticationException> {
	private fun createErrorAdapter(): ErrorAdapter<AuthenticationException> {

[Copilot]

The documentation example at line 176 shows calling "verifyOtp" but the actual method name is "verifyWithOtp". This inconsistency in the documentation will confuse developers trying to use the API.

Suggested change

	* val credentials = mfaClient.verifyOtp("123456").await()
	* val credentials = mfaClient.verifyWithOtp("123456").await()

[utkrishtsahu]

The method is correctly named verifyOtp() in the implementation. The Copilot suggestion is outdated - it was referencing an old name verifyWithOtp that was renamed per another review comment. The documentation matches the actual method name.

[Copilot]

The AuthenticationException.mfaRequirements property performs JSON serialization/deserialization on every access, which is inefficient if the property is accessed multiple times. Consider caching the deserialized MfaRequirements object in a lazy-initialized backing field to avoid repeated conversions.

[pmathew92]

Create a new Adapter for this class instead of reusing the AuthenticationException one. All errors from this set of APIs should return the new error type

[pmathew92]

factorsAllowed is not an optional parameter.

[pmathew92]

Filtering should be done by the SDK

[utkrishtsahu]

Done. Removed the query parameter approach. Filtering is now done by the SDK using createFilteringAuthenticatorsAdapter() which filters the API response based on factorsAllowed before returning to the caller.

[pmathew92]

Would suggest your make this a private method and expose public methods for individual factors like what you have written for enrollTotp. This method doesn't look DX friendly. I think web and Swift is also exposing individual public APIs

[pmathew92]

AuthenticationRequest is bound to an AuthenticationException . Since we will have a completely new error class here , I would suggest we use the Request interface. This will also be consistent with other methods in this class

[pmathew92]

I don't think we would need separate error classes for different APIs. A single MfaException class should suffice IMO. Check with @NandanPrabhu and decide on a single class

[utkrishtsahu]

Swift SDK - also uses separate error classes (MfaListAuthenticatorsError, MfaEnrollmentError, MfaChallengeError, MFAVerifyError). Our Android implementation follows the same pattern for consistency across SDKs.

[pmathew92]

Lets create a single Exception class

[utkrishtsahu]

The Swift SDK uses separate error classes (MfaListAuthenticatorsError, MfaEnrollmentError, MfaChallengeError, MFAVerifyError). Our Android implementation uses a sealed class hierarchy for consistency with Swift and to provide type-safe error handling. Users can still catch MfaException as a single base class if they prefer unified handling.

[pmathew92]

where is this MfaRequiredException being used . Doesn't the existing login APIs return AuthenticationException. So users would catch it and check for MfaRequired error and proceed with Mfa flow

[pmathew92]

lets return token as part of the MfaRequirements

[pmathew92]

Keep mfaToken as part of MfaRequirements

[pmathew92]

Lets add mfaToken also as part of this

[gyaneshgouraw-okta]

@utkrishtsahu I don't see examples updated as part of this PR. Please update examples also as for all new mfa methods added.

[Copilot]

Pull request overview

Copilot reviewed 13 out of 13 changed files in this pull request and generated 20 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The examples call .validateClaims() on mfaClient.verifyOtp(...) / verifyOob(...) / verifyRecoveryCode(...), but those methods return Request<Credentials, MfaVerifyException> (not AuthenticationRequest), so validateClaims() won’t be available. The docs should either omit validateClaims() here or provide an alternative claim-validation approach for MFA token exchanges.

[utkrishtsahu]

Fixed. The MFA verify examples no longer call .validateClaims() since verify() returns Request<Credentials, MfaVerifyException>, not AuthenticationRequest.

[Copilot]

The KDoc for invalid_request mentions challengeType and “challenge type”, but the actual validation/error refers to factorsAllowed (factor types). Please update the documentation text so it matches the API parameter and meaning.

Suggested change

	* - `invalid_request`: challengeType is required and must contain at least one challenge type
	* - `invalid_request`: factorsAllowed is required and must contain at least one factor type

[Copilot]

fromException creates a new MFA exception but drops the original cause (network and non-network). This loses stack traces and error classification (compare to AuthenticationAPIClient’s error adapter which wraps causes). Consider passing the throwable as the exception cause (and using NetworkErrorException for network failures).

[utkrishtsahu]

Fixed. The fromException method now preserves the original throwable via cause = cause in all MFA exception adapters.

[Copilot]

Same as above: createEnrollmentErrorAdapter().fromException discards the original throwable. Please preserve cause when constructing MfaEnrollmentException so callers can inspect root errors and stack traces.

[utkrishtsahu]

Fixed. The fromException method now preserves the original throwable via cause = cause in all MFA exception adapters.

[Copilot]

The example doesn’t match the actual SDK types/signatures: requirements?.challenge is a List<MfaFactor> (not List<String>), and MfaAuthenticator isn’t a type in the SDK (the model is com.auth0.android.result.Authenticator). The snippet should map requirements.challenge to it.type and use Callback<List<Authenticator>, MfaListAuthenticatorsException>.

[utkrishtsahu]

Fixed. The example now maps requirements?.challenge?.map { it.type } to get List, and uses Authenticator (not MfaAuthenticator).

[Copilot]

This enrollment example references non-existent APIs/types (enrollPhone(..., PhoneEnrollmentType.SMS) and MfaEnrollment). In the current implementation, enrollPhone only accepts a phone number and returns EnrollmentChallenge (or a specific subtype). Please update the example to use the real method signature and return type(s).

[utkrishtsahu]

This has been fixed. The example now uses the correct API: enroll(MfaEnrollmentType.Phone(...)) returning EnrollmentChallenge.

[Copilot]

In the MFA-required example, requirements?.challenge / requirements?.enroll are lists of MfaFactor (factor types), not “authenticators to challenge”. The comments and variable naming imply you can directly challenge these; instead, you still need to call getAuthenticators(...) and then challenge(authenticatorId).

Suggested change

	val canChallenge = requirements?.challenge // List of authenticators to challenge
	val canChallenge = requirements?.challenge // List of factor types that can be challenged

[Copilot]

matchesFactorType’s "oob" branch only checks authenticator.authenticatorType == "oob". If the API omits authenticator_type but returns type: "oob" (as in some test JSON), OOB authenticators won’t match and will be filtered out. Consider matching against authenticator.type and/or effectiveType instead.

Suggested change

	"oob" -> authenticator.authenticatorType == "oob"
	"oob" -> authenticator.authenticatorType == "oob" || effectiveType == "oob"

[Copilot]

createChallengeErrorAdapter().fromException currently drops the original throwable. Consider storing it as the cause (and wrapping network errors similarly to other SDK clients) to keep diagnostics intact.

[utkrishtsahu]

Fixed - all fromException methods now pass cause = cause to preserve the original throwable for diagnostics.

[Copilot]

EnrollmentChallenge.authSession was changed to nullable. Since this is a public model used across the SDK (e.g., MyAccount enrollment/verification flows), making it nullable is a breaking API change for consumers. If the API always returns auth_session, keep it non-null; if it can be absent, consider introducing a separate subtype or documenting/handling the nullability explicitly.

[utkrishtsahu]

Kotlin requires the base abstract property to be nullable when any subclass needs nullable. OobEnrollmentChallenge needs it nullable for OOB API responses. Existing subclasses still use non-null String, so backward compatibility is maintained.

[gyaneshgouraw-okta]

@utkrishtsahu Please add a disclaimer that this feature is in early access.

[utkrishtsahu]

Added.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[pmathew92]

It can be either challenge type or enroll type. The example should showcase only one can be present at a time. Check SPA for reference

[pmathew92]

Is this a valid scenario ? Do we need to handle duplicate authenticators post filtering ? @gyaneshgouraw-okta

[utkrishtsahu]

removed handling duplicate authenticators to make it consisten across sdks

[pmathew92]

nit: move all private methods after the public methods
The order should be:
private properties
public properties
public methods
private methods / /As these are generally helper methods

[pmathew92]

Is auth0 the only oob channel value possible ? Can we have push notification via other authenticator apps ?
cc @gyaneshgouraw-okta

[pmathew92]

do we need this property now since mfaRequiredErrorPayload contains the token already

[utkrishtsahu]

The mfaToken convenience property provides a simpler API for the common use case. Same pattern exists in AuthenticationException.

[pmathew92]

Why is this being made nullable type?

[utkrishtsahu]

OobEnrollmentChallenge (SMS/Email) doesn't always receive id/authSession from the API. Kotlin sealed class rules require base class properties to be supertypes of subclass overrides—so if any subclass needs nullable, the base must be nullable too. Existing subclasses still override as non-null, so no breaking change.

[pmathew92]

Why is this being made nullable ?

[pmathew92]

CredentialsManager exceptions are not being handled in test cases ?

[utkrishtsahu]

added test test case for CredentialsManager exceptions.

[pmathew92]

These can be simple properties as the values will not change
private val clientId: String = auth0.clientId
private val baseURL: String = auth0.getDomainUrl()

[pmathew92]

Why do you need to use reflection here?

[pmathew92]

You can just add few new cases in the exisitng CredentialsManager and SecureCredentialsManager test class . That will be easier approach than this

[pmathew92]

**Both present**: is not a valid scenario. Check with @gyaneshgouraw-okta

[pmathew92]

This is an invalid case as both Challenge And Enroll options won't come. Update for testing with only one case

[utkrishtsahu]

Removed the invalid test case shouldFailWithMfaRequiredContainingBothChallengeAndEnrollOptions.

The single-case scenarios are already covered by existing tests:

shouldFailWithMfaRequiredWhenRenewingExpiredCredentials — tests challenge-only response
shouldFailWithMfaRequiredWithEnrollmentOptionsWhenRenewingCredentials — tests enroll-only respons

[pmathew92]

Invalid case. either only challenge or enroll options are present. update as such

[utkrishtsahu]

Removed the invalid test case shouldFailWithMfaRequiredContainingBothChallengeAndEnrollOptions.

The single-case scenarios are already covered by existing tests:

shouldFailWithMfaRequiredWhenRenewingExpiredCredentials — tests challenge-only response
shouldFailWithMfaRequiredWithEnrollmentOptionsWhenRenewingCredentials — tests enroll-only respons

[pmathew92]

Remove the generated comments from both these classes . the ones like
// Arrange
//Act
//Verify
Gives an impression of AI generated

[pmathew92]

Why do you need latch here ? this is going to block the thread for 5 secs in worst case. . Check the existing test cases for MyAccountAPI or AuthenticationAPIClient on how to handle call back scenarios or alternate solutions

[utkrishtsahu]

removed latch causing build delay to mockball.

[pmathew92]

Same as https://github.com/auth0/Auth0.Android/pull/896/files#r2759875791

[utkrishtsahu]

removed latch causing build delay to mockball.

[pmathew92]

Same as https://github.com/auth0/Auth0.Android/pull/896/files#r2759875791

[utkrishtsahu]

removed latch causing build delay to mockball.

[pmathew92]

Same as https://github.com/auth0/Auth0.Android/pull/896/files#r2759875791

[utkrishtsahu]

removed latch causing build delay to mockball.