[CAS 6.0.8] mfa-custom: getService(...) in web flow action

[N8]

I'm hoping to externalredirect:#{requestScope.redirectUrl} in mfa-custom-webflow.xml and include the encoded original service url in the redirect query string, but can't figure out how to get a reference to the service so I can build the url in my action.  WebUtils.getService(requestContext) returns null.

All of the other mfa providers evaluate initialFlowSetupAction on start, setting the service key value in the flow scope to null, thereby removing whatever may have been there.  My brain is fried from miles-deep tracing through code, and I admit I don't fully understand whether the mfa web flow is fully independent of the login flow.

It appears any action state code in the Duo provider would also receive a null return value from WebUtils.getService(requestContext):

2020-03-07 13:38:45,756 DEBUG [org.apereo.cas.web.flow.resolver.impl.SelectiveMultifactorAuthenticationProviderWebflowEventEventResolver] - <Finalized set of resolved events are [[mfa-duo]]>

2020-03-07 13:38:45,756 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [mfa-duo] via [java.lang.String] for this context>

2020-03-07 13:38:45,756 DEBUG [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - <The final authentication event resolved for [AbstractWebApplicationService(id=https://www.asu.edu/footest, originalUrl=https://www.asu.edu/footest, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] is [mfa-duo]>

2020-03-07 13:38:45,756 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [mfa-duo] via [java.lang.String] for this context>

2020-03-07 13:38:45,758 TRACE [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Warning cookie path is set to [null] and path [/cas/]>

2020-03-07 13:38:45,758 TRACE [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <TGC cookie path is set to [null] and path [/cas/]>

2020-03-07 13:38:45,759 TRACE [org.apereo.cas.authentication.principal.WebApplicationServiceFactory] - <No service is specified in the request. Skipping service creation>

2020-03-07 13:38:45,759 TRACE [org.apereo.cas.web.support.DefaultArgumentExtractor] - <No service could be extracted based on the given request>

2020-03-07 13:38:45,759 TRACE [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor did not generate service.>

(https://github.com/apereo/cas/blob/d17798a08cbfef59623e0966becacc4d564d476e/support/cas-server-support-actions/src/main/java/org/apereo/cas/web/flow/login/InitialFlowSetupAction.java#L59)

Any pointers?