Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

During the OAuth2 login flow, when the user has 2FA enabled, the LoginFlow may be in a weird state #375

Open
5 tasks done
BrandonNoad opened this issue Feb 9, 2024 · 3 comments
Labels
bug Something is not working.

Comments

@BrandonNoad
Copy link

Preflight checklist

Ory Network Project

dazzling-chandrasekhar-msru5m4b1c

Describe the bug

During the OAuth2 flow, after submitting the email/password, the user is redirected to a URL similar to the following: https://account-flows-test.bonfirehub.com/self-service/login/browser?aal=aal2&login_challenge=[…]&return_to=https%3A%2F%2Fdazzling-chandrasekhar-msru5m4b1c.projects.oryapis.com%2Foauth2%2Fauth%3F[...], which looks correct.

But the LoginFlow returned by Ory from that request has both "requested_aal": "aal2" AND "refresh": true.

I’m not sure why refresh is true here. It is causing an issue for us because when refresh is true, our code attempts to look up the user’s current session (the one we are refreshing) so we can display the email address of the account the user is logged in as.

But in this case, the session lookup fails (I believe with a 403, Session has a lower AAL than required for the identity error).

All that said, is "refresh": true expected here? Or is it a bug?

In ory/elements, the UserAuthCard will display "Confirm it's you" instead of "Two-Factor Authentication" in this scenario.

https://github.com/ory/elements/blob/main/src/react-components/ory/user-auth-card.tsx#L129

May be related to ory/kratos#2742

Reproducing the bug

Start the OAuth2 Login flow with a user that has 2FA enabled. After submitting email/password, the user should be redirected to the page where the user submits the 2FA code. If you inspect the LoginFlow object, it should have both refresh: true and requested_aal: 'aal2'.

Relevant log output

No response

Relevant configuration

No response

Version

Ory Network

On which operating system are you observing this issue?

Ory Network

In which environment are you deploying?

Ory Network

Additional Context

No response

@BrandonNoad BrandonNoad added the bug Something is not working. label Feb 9, 2024
@BrandonNoad
Copy link
Author

Also, the LoginFlow contains the messages for both the refresh and the aal2 scenarios

image

@aeneasr
Copy link
Member

aeneasr commented Feb 10, 2024

I looked into this, but it's not trivial to understand where the refresh parameter is coming from in this scenario. Could you - like Ory Elements, ignore the refresh value if AAL2 is required?

@BrandonNoad
Copy link
Author

Yes, we are currently ignoring flow.refresh when flow.requested_aal === 'aal2'.

But I wasn't sure if we might be ignoring a valid case that could lead to bugs in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something is not working.
Projects
None yet
Development

No branches or pull requests

2 participants