feat: SMS OTP POC implementation for flexible grant factor

Author: utkrishtsahu

auth0/src/main/java/com/auth0/android/authentication/AuthenticationAPIClient.kt

@@ -24,6 +24,8 @@ import com.auth0.android.request.internal.GsonAdapter.Companion.forMapOf
 import com.auth0.android.request.internal.GsonProvider
 import com.auth0.android.request.internal.RequestFactory
 import com.auth0.android.request.internal.ResponseUtils.isNetworkError
+import com.auth0.android.result.Authenticator
+import com.auth0.android.result.AuthenticatorsList
 import com.auth0.android.result.Challenge
 import com.auth0.android.result.Credentials
 import com.auth0.android.result.DatabaseUser
@@ -474,6 +476,47 @@ public class AuthenticationAPIClient @VisibleForTesting(otherwise = VisibleForTe
             .addParameters(parameters)
     }
 
+    /**
+     * List the available MFA authenticators for the user.
+     * This method should be called after receiving an `mfa_required` error to determine which
+     * authenticators are available for completing the MFA challenge.
+     *
+     * Example usage:
+     *
+     * ```
+     * client.listAuthenticators("{mfa token}")
+     *     .start(object : Callback<AuthenticatorsList, AuthenticationException> {
+     *         override fun onSuccess(result: AuthenticatorsList) {
+     *             // Use result.smsAuthenticators to get SMS authenticators
+     *             val smsAuth = result.firstActiveSmsAuthenticator
+     *             if (smsAuth != null) {
+     *                 // Trigger SMS challenge with this authenticator
+     *             }
+     *         }
+     *         override fun onFailure(error: AuthenticationException) { }
+     *     })
+     * ```
+     *
+     * @param mfaToken the MFA token received in the `mfa_required` error response
+     * @return a request to configure and start that will yield [AuthenticatorsList]
+     */
+    public fun listAuthenticators(
+        mfaToken: String
+    ): Request<AuthenticatorsList, AuthenticationException> {
+        val parameters = ParameterBuilder.newBuilder()
+            .set(MFA_TOKEN_KEY, mfaToken)
+            .asDictionary()
+        val url = auth0.getDomainUrl().toHttpUrl().newBuilder()
+            .addPathSegment(MFA_PATH)
+            .addPathSegment(AUTHENTICATORS_PATH)
+            .build()
+        val authenticatorsListAdapter: JsonAdapter<AuthenticatorsList> = GsonAdapter(
+            AuthenticatorsList::class.java, gson
+        )
+        return factory.post(url.toString(), authenticatorsListAdapter)
+            .addParameters(parameters)
+    }
+
     /**
      * Log in a user using a token obtained from a Native Social Identity Provider, such as Facebook, using ['\oauth\token' endpoint](https://auth0.com/docs/api/authentication#token-exchange-for-native-social)
      * The default scope used is 'openid profile email'.
@@ -1116,6 +1159,7 @@ public class AuthenticationAPIClient @VisibleForTesting(otherwise = VisibleForTe
         private const val REVOKE_PATH = "revoke"
         private const val MFA_PATH = "mfa"
         private const val CHALLENGE_PATH = "challenge"
+        private const val AUTHENTICATORS_PATH = "authenticators"
         private const val PASSKEY_PATH = "passkey"
         private const val REGISTER_PATH = "register"
         private const val HEADER_AUTHORIZATION = "Authorization"

auth0/src/main/java/com/auth0/android/authentication/AuthenticationException.kt

@@ -147,6 +147,15 @@ public class AuthenticationException : Auth0Exception {
     public val isMultifactorEnrollRequired: Boolean
         get() = "a0.mfa_registration_required" == code || "unsupported_challenge_type" == code
 
+    /**
+     * Get the MFA token from the error response when MFA is required.
+     * This token should be used in subsequent MFA operations like listing authenticators or completing the challenge.
+     *
+     * @return the MFA token if present, null otherwise
+     */
+    public val mfaToken: String?
+        get() = getValue("mfa_token") as? String
+
     /// When Bot Protection flags the request as suspicious
     public val isVerificationRequired: Boolean
         get() = "requires_verification" == code

auth0/src/main/java/com/auth0/android/result/Authenticator.kt

@@ -0,0 +1,76 @@
+package com.auth0.android.result
+
+import com.google.gson.annotations.SerializedName
+
+/**
+ * Represents an MFA authenticator that can be used for multi-factor authentication.
+ *
+ * @see [com.auth0.android.authentication.AuthenticationAPIClient.listAuthenticators]
+ */
+public data class Authenticator(
+    /**
+     * Unique identifier for this authenticator
+     */
+    @SerializedName("id")
+    public val id: String,
+
+    /**
+     * Type of authenticator (e.g., "otp", "oob", "recovery-code")
+     */
+    @SerializedName("authenticator_type")
+    public val authenticatorType: String,
+
+    /**
+     * Whether this authenticator is active
+     */
+    @SerializedName("active")
+    public val active: Boolean,
+
+    /**
+     * OOB channel if this is an out-of-band authenticator (e.g., "sms", "email", "auth0")
+     */
+    @SerializedName("oob_channel")
+    public val oobChannel: String? = null,
+
+    /**
+     * Name of the authenticator
+     */
+    @SerializedName("name")
+    public val name: String? = null,
+
+    /**
+     * Creation timestamp
+     */
+    @SerializedName("created_at")
+    public val createdAt: String? = null,
+
+    /**
+     * Last update timestamp
+     */
+    @SerializedName("updated_at")
+    public val updatedAt: String? = null
+) {
+    /**
+     * Check if this is an SMS authenticator
+     */
+    public val isSms: Boolean
+        get() = authenticatorType == "oob" && oobChannel == "sms"
+
+    /**
+     * Check if this is an OTP authenticator (TOTP)
+     */
+    public val isOTP: Boolean
+        get() = authenticatorType == "otp"
+
+    /**
+     * Check if this is an email authenticator
+     */
+    public val isEmail: Boolean
+        get() = authenticatorType == "oob" && oobChannel == "email"
+
+    /**
+     * Check if this is a recovery code authenticator
+     */
+    public val isRecoveryCode: Boolean
+        get() = authenticatorType == "recovery-code"
+}

auth0/src/main/java/com/auth0/android/result/AuthenticatorsList.kt

@@ -0,0 +1,48 @@
+package com.auth0.android.result
+
+import com.auth0.android.request.internal.JsonRequired
+import com.google.gson.annotations.SerializedName
+
+/**
+ * Response containing a list of available MFA authenticators for the user.
+ *
+ * @see [com.auth0.android.authentication.AuthenticationAPIClient.listAuthenticators]
+ */
+public data class AuthenticatorsList(
+    /**
+     * List of authenticators available for this user
+     */
+    @field:JsonRequired
+    @SerializedName("authenticators")
+    public val authenticators: List<Authenticator>
+) {
+    /**
+     * Get all SMS authenticators
+     */
+    public val smsAuthenticators: List<Authenticator>
+        get() = authenticators.filter { it.isSms }
+
+    /**
+     * Get all OTP authenticators (TOTP)
+     */
+    public val otpAuthenticators: List<Authenticator>
+        get() = authenticators.filter { it.isOTP }
+
+    /**
+     * Get all email authenticators
+     */
+    public val emailAuthenticators: List<Authenticator>
+        get() = authenticators.filter { it.isEmail }
+
+    /**
+     * Get the first active SMS authenticator, if available
+     */
+    public val firstActiveSmsAuthenticator: Authenticator?
+        get() = smsAuthenticators.firstOrNull { it.active }
+
+    /**
+     * Get the first active OTP authenticator, if available
+     */
+    public val firstActiveOtpAuthenticator: Authenticator?
+        get() = otpAuthenticators.firstOrNull { it.active }
+}

auth0/src/test/java/com/auth0/android/authentication/AuthenticationExceptionMfaTest.kt

@@ -0,0 +1,136 @@
+package com.auth0.android.authentication
+
+import org.junit.Assert.*
+import org.junit.Test
+
+/**
+ * Unit tests for AuthenticationException MFA token extraction
+ * Part of the SMS OTP MFA POC implementation
+ */
+class AuthenticationExceptionMfaTest {
+
+    @Test
+    fun `should extract mfa_token from error response`() {
+        val errorValues = mapOf(
+            "error" to "mfa_required",
+            "error_description" to "Multifactor authentication required",
+            "mfa_token" to "test_mfa_token_12345"
+        )
+
+        val exception = AuthenticationException(errorValues, 403)
+
+        assertTrue(exception.isMultifactorRequired)
+        assertNotNull(exception.mfaToken)
+        assertEquals("test_mfa_token_12345", exception.mfaToken)
+    }
+
+    @Test
+    fun `should return null when mfa_token is not present`() {
+        val errorValues = mapOf(
+            "error" to "mfa_required",
+            "error_description" to "Multifactor authentication required"
+        )
+
+        val exception = AuthenticationException(errorValues, 403)
+
+        assertTrue(exception.isMultifactorRequired)
+        assertNull(exception.mfaToken)
+    }
+
+    @Test
+    fun `should handle non-MFA error without mfa_token`() {
+        val errorValues = mapOf(
+            "error" to "invalid_grant",
+            "error_description" to "Wrong username or password"
+        )
+
+        val exception = AuthenticationException(errorValues, 401)
+
+        assertFalse(exception.isMultifactorRequired)
+        assertNull(exception.mfaToken)
+    }
+
+    @Test
+    fun `should identify mfa_required with code variant`() {
+        val errorValues = mapOf(
+            "error" to "mfa_required",
+            "error_description" to "Multifactor authentication required",
+            "mfa_token" to "token_abc"
+        )
+
+        val exception = AuthenticationException(errorValues, 403)
+
+        assertTrue(exception.isMultifactorRequired)
+        assertEquals("token_abc", exception.mfaToken)
+    }
+
+    @Test
+    fun `should identify a0_mfa_required variant`() {
+        val errorValues = mapOf(
+            "error" to "a0.mfa_required",
+            "error_description" to "MFA is required",
+            "mfa_token" to "token_xyz"
+        )
+
+        val exception = AuthenticationException(errorValues, 403)
+
+        assertTrue(exception.isMultifactorRequired)
+        assertEquals("token_xyz", exception.mfaToken)
+    }
+
+    @Test
+    fun `should handle mfa_token as different type gracefully`() {
+        // In case the API returns mfa_token as non-string (edge case)
+        val errorValues = mapOf(
+            "error" to "mfa_required",
+            "error_description" to "Multifactor authentication required",
+            "mfa_token" to 12345 // Integer instead of String
+        )
+
+        val exception = AuthenticationException(errorValues, 403)
+
+        assertTrue(exception.isMultifactorRequired)
+        // Should return null when type is not String
+        assertNull(exception.mfaToken)
+    }
+
+    @Test
+    fun `should extract mfa_token with real-world response format`() {
+        // Simulating actual Auth0 API response
+        val errorValues = mapOf(
+            "error" to "mfa_required",
+            "error_description" to "Multifactor authentication required",
+            "mfa_token" to "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuYXV0aDAuY29tLyIsImF1ZCI6Imh0dHBzOi8vZXhhbXBsZS5hdXRoMC5jb20vbWZhLyJ9.test",
+            "statusCode" to 403
+        )
+
+        val exception = AuthenticationException(errorValues, 403)
+
+        assertTrue(exception.isMultifactorRequired)
+        assertNotNull(exception.mfaToken)
+        assertTrue(exception.mfaToken!!.startsWith("eyJ"))
+    }
+
+    @Test
+    fun `should handle getValue for mfa_token correctly`() {
+        val errorValues = mapOf(
+            "error" to "mfa_required",
+            "mfa_token" to "test_token"
+        )
+
+        val exception = AuthenticationException(errorValues, 403)
+
+        // Test both ways of accessing mfa_token
+        assertEquals("test_token", exception.mfaToken)
+        assertEquals("test_token", exception.getValue("mfa_token"))
+    }
+
+    @Test
+    fun `should work with empty error values map`() {
+        val errorValues = emptyMap<String, Any>()
+        val exception = AuthenticationException(errorValues, 500)
+
+        assertNull(exception.mfaToken)
+        assertFalse(exception.isMultifactorRequired)
+    }
+}