When running AuthHub, once the client has a x-flow-state value, this one can be reused in the URL to access an endpoint resource bypassing the SMS/OTP multifactor authentication.

The SMS/OTP challenge can be bypassed by directly accessing the constructed following URL after login:

https://_app._host._domain._com/default/oauth2/v1/myapp?x-flow-state=eXlh [...]

This issue was resolved in Jun.02 release.

Upgrade to latest version June.04 or more recent to address this issue.