But I’m having a hard time understanding the flow of the code, so that I can add hooks. Could you elaborate any more on that post or give examples of where we might “hijack” the auth process to send out a code and require calling back with that TFA code?
There are no specific “hooks” which enable 2FA, the approach OAuth providers like FacebookAuthProvider adopts is for an initial request to return a redirect result to Facebook’s OAuth login to capture the users consent which it then redirects the user back to the same /auth/facebook endpoint with an Access Token that can then be used to make Authenticated API calls to Facebook on the Users behalf. The Facebook AuthProvider also supports being able to login directly with an AccessToken captured using Facebook’s Mobile SDK which allows it bypass the OAuth redirect dance.
If you’re using a 3rd Party 2FA Service I’m assuming it will adopt a similar callback flow, you can also Save the Session before redirecting if you need to save additional info about the user that’s not available on the callback request.