What does CF expect for MFA from an IdP?

What is the name of the domain?

internal site

What is the issue you’re encountering

Clouflare denies access to a website when MFA is required, even though the authentication provider has MFA.

What steps have you taken to resolve the issue?

I’ve got a self hosted site that is using Authentik for authentication. When the policy only requires email, it works great.

Now I’m trying to require MFA. So, I’ve added MFA and OTP as required to the group in the policy.

I’ve added a TOTP device on the Authentik side.

When I try to access the CF protected site, I authenticate against Authentik (it requires me to use the TOTP), but then CF says I don’t have access to the site.

I imagine Authentik isn’t sending over anything about the MFA. In the configuration of Authentik, I’ve got email, oidc, and profile as claims. Is there one for MFA?

It’s the amr value in the payload, which is an array of authentication methods e.g. mfa for mfa or hwk for hardware key and some others.

Example of what Auth0 sends: https://community.auth0.com/t/include-claim-in-id-token-when-mfa-was-used/17112/2

From a quick search for an unrelated thread where someone shared a payload, Authentik does seem to send it: https://www.reddit.com/r/selfhosted/comments/1dhzkjf/people_with_experience_in_authentik_portainer/

    "amr": [
        "pwd",
        "mfa",
        "dod"
    ],

so the question is why Cloudflare doesn’t pick it up, to which I don’t have a certain answer. Does adding amr under “OIDC Claims” at Cloudflare’s auth provider config help at all?