5.14.12 Configuring Multi-Factor Authentication for Resource Owner Credentials Grant

Access Manager supports multi-factor authentication for the Authorization Code flow and Implicit flow. Access Manager 5.0 onwards, you can also invoke multi-factor authentication for Resource owner credential flow. This authentication flow is applicable only for Plug-in-based Advanced Authentication (Smartphone and Voice Call) methods.

Perform the following steps to configure multi-factor authentication for Resource Owner Credentials Grant:

  1. Create an authentication class. See Creating Authentication Classes.

    NOTE:Only Smartphone and Voice Call classes are supported.

  2. Create a method and contract. See Configuring Authentication Methods and Configuring Authentication Contracts.

    NOTE:While creating the method, you can use the MAXRETRY and RETRYTIMEOUT properties to configure authentication timeout. For more information, see Optional Properties (KEY/Value) for Authentication Methods.

  3. Navigate to Devices > Identity Server > Edit > OAuth & OpenID Connect > Global Settings.

  4. Under Contracts for Resource Owner Credentials Authentication, assign the Name/Password contract and the contract you created in Step 2.


    (Client application developer) In the client application token request, send the contract URI in the acr_values parameter.

    This scenario is useful when you want to restrict the contract for specific client applications.

For more information about Resource owner credentials authentication contract, see Defining Global Settings.