Access Manager supports multi-factor authentication for the Authorization Code flow and Implicit flow. Access Manager 5.0 onwards, you can also invoke multi-factor authentication for Resource owner credential flow. This authentication flow is applicable only for Plug-in-based Advanced Authentication (Smartphone and Voice Call) methods.
Perform the following steps to configure multi-factor authentication for Resource Owner Credentials Grant:
Create an authentication class. See Creating Authentication Classes.
NOTE:Only Smartphone and Voice Call classes are supported.
Create a method and contract. See Configuring Authentication Methods and Configuring Authentication Contracts.
NOTE:While creating the method, you can use the MAXRETRY and RETRYTIMEOUT properties to configure authentication timeout. For more information, see Optional Properties (KEY/Value) for Authentication Methods.
Navigate to Devices > Identity Server > Edit > OAuth & OpenID Connect > Global Settings.
Under Contracts for Resource Owner Credentials Authentication, assign the Name/Password contract and the contract you created in Step 2.
or
(Client application developer) In the client application token request, send the contract URI in the acr_values parameter.
This scenario is useful when you want to restrict the contract for specific client applications.
For more information about Resource owner credentials authentication contract, see Defining Global Settings.