Email OTP flow error message was not displayed for 3 use cases:

1. OTP validity period: Complete the initial factor authentication (username/password) and allow an OTP to be delivered to the user. Wait until the OTP validity period expires (5 minutes).

2. OTP brute forcing: Enter an incorrect OTP token and ensure that a suitable error message is displayed.

3. OTP brute forcing: Enter the OTP token incorrectly 6 times and ensure that user's account is locked for 30 minutes.

Root cause is due to error customization configuration.

When VIP Authentication Hub OPTVerifier response comes back, it was in htlm format, which should have been out of box JSON format.

The HTTP response was 401, which is the correct error code.

This environment uses access gateway to proxy traffic. And the error redirect has been customized on access gateway server configuration.

Identify access gateway WebServerErrorMessages.properties files entry for HTTP error 401.

Once the line for error 401 was commented out using #, access gateway will allow the default error message to pass on.

Tested it again the same 3 use cases:

1. OTP validity period: Complete the initial factor authentication (username/password) and allow an OTP to be delivered to the user. Wait until the OTP validity period expires (5 minutes)

//received error: Incorrect credentials

2. OTP brute forcing: Enter an incorrect OTP token and ensure that a suitable error message is displayed

//received error: OTP is expired

3. OTP brute forcing: Enter the OTP token incorrectly 6 times and ensure that user's account is locked for 30 minutes.

//User is redirected to custom error page which was pre-defined on their access gateway WebServerErrorMessages.properties file.