Skip to content
  • Workflows
  • Triggers

Pre-MFA workflow

Trigger: user:pre_mfa

This trigger is fired after the user has complete single factor authentication (e.g email + password or Google) and determined which organization (if any) they are trying to access.

Example use cases

Link to this section

Determining if MFA is required based on data in an external service

Link to this section

You may be using a service like Zanzibar or OpenFGA for fine-grained access control and wish to call out to it to determine if a user needs to complete MFA.

Making MFA required if a user has a certain permission

Link to this section

You may wish to enforce MFA for users who have some sensitive permissions such as delete:project .

Skipping MFA for certain organizations

Link to this section

You want to enforce MFA at an environment level for all organizations, but there are a few who do not want to adopt your policy.

MFA prompt grace period

Link to this section

When you only want to prompt MFA when a user has not been asked for MFA for a certain time period. See example code

Sample event object

Link to this section

The main argument provided to your code is the Kinde workflow event object which has two keys request and context. This gives you access to the reason the workflow was triggered and additional relevant datapoints. Here’s an example:

{
"request": {
"ip": "192.168.0.1",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Gecko/20100101 Firefox/135.0"
},
"context": {
"auth": {
"connectionId": "conn_01945d3ccf4926118bfdeb6e1158edb5" // connection ID the user auth'd with
},
"domains": {
"kindeDomain": "https://example.kinde.com"
},
"mfa": {
"policy": "required", // required | optional | off
"context": "environment", // environment or organization
"enabledFactors": ["mfa:sms", "mfa:email", "mfa:authenticator_app"], // factors you have enabled for this context
"isUserRoleExempt": false, // advanced orgs can make specific roles exempt from MFA
"isUserConnectionExempt": false // advanced orgs can make enterprise connections exempt from MFA
},
"user": {
"id": "kp_77d28fc7b16240dd9ec12b08071fe46e" // the users ID
},
"workflow": {
"trigger": "user:pre_mfa"
},
"application": {
"clientId": "cee9743fc7ee4d2e84061fe1a662051d"
},
"organization": {
"code": "org_75ad9f26d2c"
}
}
}

The kinde.mfa binding is used to modify the MFA policy for the current auth flow.

Example workflows

Link to this section

See examples on GitHub:

Set a grace period for MFA - Don’t ask for MFA for a set period of time after a user has logged in.