I have a single page application written in angular 7 which communicates with my ASP.Net Core 2.2 Web API server. On login, the user sends his credentials to my authorization server (connect/token) using "resource owner password credentials" grant. I am trying to add 2-factor authentication (SMS), but I can't find any example describing how to do this. All the examples I found were written with MVC using cookies authentication.
I was thinking about this flow but it feels to me there should be a much better way
- A user enters his user name & password
- If the user has 2 factors enabled I will send him an SMS with a code. In addition, a limited access_token and id token will be sent to the client. this access_token will be valid only to enable the user to send the 2-factor code. if id-token will have a claim for 'two factors': 'on', I will redirect the user to an SMS confirmations code.
- The user will send a post request with the code. If the code matche, I will return to the client a new access_token with all the claims.