You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During the OAuth2 flow, after submitting the email/password, the user is redirected to a URL similar to the following: https://account-flows-test.bonfirehub.com/self-service/login/browser?aal=aal2&login_challenge=[…]&return_to=https%3A%2F%2Fdazzling-chandrasekhar-msru5m4b1c.projects.oryapis.com%2Foauth2%2Fauth%3F[...], which looks correct.
But the LoginFlow returned by Ory from that request has both "requested_aal": "aal2" AND "refresh": true.
I’m not sure why refresh is true here. It is causing an issue for us because when refresh is true, our code attempts to look up the user’s current session (the one we are refreshing) so we can display the email address of the account the user is logged in as.
But in this case, the session lookup fails (I believe with a 403, Session has a lower AAL than required for the identity error).
All that said, is "refresh": true expected here? Or is it a bug?
In ory/elements, the UserAuthCard will display "Confirm it's you" instead of "Two-Factor Authentication" in this scenario.
Start the OAuth2 Login flow with a user that has 2FA enabled. After submitting email/password, the user should be redirected to the page where the user submits the 2FA code. If you inspect the LoginFlow object, it should have both refresh: true and requested_aal: 'aal2'.
Relevant log output
No response
Relevant configuration
No response
Version
Ory Network
On which operating system are you observing this issue?
Ory Network
In which environment are you deploying?
Ory Network
Additional Context
No response
The text was updated successfully, but these errors were encountered:
I looked into this, but it's not trivial to understand where the refresh parameter is coming from in this scenario. Could you - like Ory Elements, ignore the refresh value if AAL2 is required?
Preflight checklist
Ory Network Project
dazzling-chandrasekhar-msru5m4b1c
Describe the bug
During the OAuth2 flow, after submitting the email/password, the user is redirected to a URL similar to the following:
https://account-flows-test.bonfirehub.com/self-service/login/browser?aal=aal2&login_challenge=[…]&return_to=https%3A%2F%2Fdazzling-chandrasekhar-msru5m4b1c.projects.oryapis.com%2Foauth2%2Fauth%3F[...]
, which looks correct.But the
LoginFlow
returned by Ory from that request has both"requested_aal": "aal2"
AND"refresh": true
.I’m not sure why
refresh
istrue
here. It is causing an issue for us because whenrefresh
istrue
, our code attempts to look up the user’s current session (the one we are refreshing) so we can display the email address of the account the user is logged in as.But in this case, the session lookup fails (I believe with a 403, Session has a lower AAL than required for the identity error).
All that said, is
"refresh": true
expected here? Or is it a bug?In ory/elements, the
UserAuthCard
will display "Confirm it's you" instead of "Two-Factor Authentication" in this scenario.https://github.com/ory/elements/blob/main/src/react-components/ory/user-auth-card.tsx#L129
May be related to ory/kratos#2742
Reproducing the bug
Start the OAuth2 Login flow with a user that has 2FA enabled. After submitting email/password, the user should be redirected to the page where the user submits the 2FA code. If you inspect the
LoginFlow
object, it should have bothrefresh: true
andrequested_aal: 'aal2'
.Relevant log output
No response
Relevant configuration
No response
Version
Ory Network
On which operating system are you observing this issue?
Ory Network
In which environment are you deploying?
Ory Network
Additional Context
No response
The text was updated successfully, but these errors were encountered: