Require MFA Authentication for a Client (application)

In some situations an application requires multi-factor authentication (mfa) for security reasons. This can be done in two ways:

1. By configuration. Configure the client to require MFA and for what kind of accounts. This option is easiest if it should always be required for the client. This option is supported for both OpenId Connect and SAML applications.
2. Pass mfa as argument in OpenId Connect acr_Values parameter. This will allow the application to perform stepup authentication for specific actions.

Pass mfa method in acr_values

To pass authentication method you should simply add mfa as value in the acr_Values parameter.

C# example

.AddOpenIdConnect(options =>
{
    //Other configuration not shown
    options.Events.OnRedirectToIdentityProvider = ctx =>
    {
        ctx.ProtocolMessage.AcrValues = "mfa";

        return Task.CompletedTask;
    };
});