POST /self-service/settings/browser returns a 403 error when MFA is not available yet, with required_aal is highest_available.
#409
Labels
bug
Something is not working.
Comments
|
What does your code configuration look like? Did you disable the fallback setting? |
|
@aeneasr here is the current identity config: # yaml-language-server: $schema=https://raw.githubusercontent.com/ory/kratos/master/embedx/config.schema.json
cookies:
same_site: Lax
courier:
smtp:
connection_uri: smtp://${POSTMARK_SEVER_API_TOKEN}:${POSTMARK_SEVER_API_TOKEN}@smtp.postmarkapp.com:587/
from_address: ${COURIER_SMTP_FROM_ADDRESS}
from_name: ${COURIER_SMTP_FROM_NAME}
channels:
- id: sms
type: http
request_config:
url: https://api.twilio.com/2010-04-01/Accounts/${TWILIO_ACCOUNT_SID}/Messages.json
method: POST
body: base64://${TWILIO_MESSAGE_JSONNET_BASE64}
headers:
Content-Type: application/x-www-form-urlencoded
auth:
type: basic_auth
config:
user: ${TWILIO_ACCOUNT_SID}
password: ${TWILIO_AUTH_TOKEN}
templates:
login_code:
valid:
email:
subject: base64://${COURIER_TEMPLATES_LOGIN_CODE_VALID_EMAIL_SUBJECT}
body:
html: base64://${COURIER_TEMPLATES_LOGIN_CODE_VALID_EMAIL_BODY_HTML}
plaintext: base64://${COURIER_TEMPLATES_LOGIN_CODE_VALID_EMAIL_BODY_PLAINTEXT}
sms:
body:
plaintext: base64://${COURIER_TEMPLATES_LOGIN_CODE_VALID_SMS_BODY_PLAINTEXT}
recovery:
invalid:
email:
body: {}
valid:
email:
body: {}
recovery_code:
invalid:
email:
body: {}
valid:
email:
subject: base64://${COURIER_TEMPLATES_RECOVERY_CODE_VALID_EMAIL_SUBJECT}
body:
html: base64://${COURIER_TEMPLATES_RECOVERY_CODE_VALID_EMAIL_BODY_HTML}
plaintext: base64://${COURIER_TEMPLATES_RECOVERY_CODE_VALID_EMAIL_BODY_PLAINTEXT}
registration_code:
valid:
email:
subject: base64://${COURIER_TEMPLATES_REGISTRATION_CODE_VALID_EMAIL_SUBJECT}
body:
html: base64://${COURIER_TEMPLATES_REGISTRATION_CODE_VALID_EMAIL_BODY_HTML}
plaintext: base64://${COURIER_TEMPLATES_REGISTRATION_CODE_VALID_EMAIL_BODY_PLAINTEXT}
verification:
invalid:
email:
body: {}
valid:
email:
body: {}
verification_code:
invalid:
email:
body: {}
valid:
email:
subject: base64://${COURIER_TEMPLATES_VERIFICATION_CODE_VALID_EMAIL_SUBJECT}
body:
html: base64://${COURIER_TEMPLATES_VERIFICATION_CODE_VALID_EMAIL_BODY_HTML}
plaintext: base64://${COURIER_TEMPLATES_VERIFICATION_CODE_VALID_EMAIL_BODY_PLAINTEXT}
sms:
body:
plaintext: base64://${COURIER_TEMPLATES_VERIFICATION_CODE_VALID_SMS_BODY_PLAINTEXT}
feature_flags:
cacheable_sessions: false
identity:
default_schema_id: ${SCHEMA_ID}
schemas:
- id: ${SCHEMA_ID}
url: base64://${SPIKO_IDENTITY_SCHEMA_V0_BASE64}
oauth2_provider:
override_return_to: true
organizations: []
selfservice:
allowed_return_urls:
- https://${ORY_PROJECT_SLUG}.projects.oryapis.com
- https://${AUTH_DOMAIN}
default_browser_return_url: /profile
flows:
error:
ui_url: /ui/error
login:
after:
code:
hooks: []
hooks:
- hook: revoke_active_sessions
- hook: web_hook
config:
url: https://api.segment.io/v1/identify
method: POST
body: base64://${SEGMENT_IDENTIFY_JSONNET_BASE64}
auth:
type: basic_auth
config:
user: ${SEGMENT_WRITE_KEY}
password: ''
can_interrupt: false
response:
ignore: false
parse: false
lookup_secret:
hooks: []
oidc:
hooks: []
password:
hooks: []
totp:
hooks: []
webauthn:
hooks: []
before:
hooks: []
lifespan: 30m0s
ui_url: ${APP_URL}/signin
logout:
after: {}
recovery:
after:
hooks: []
before:
hooks: []
enabled: true
lifespan: 30m0s
notify_unknown_recipients: false
ui_url: ${APP_URL}/recover
use: code
registration:
after:
hooks:
- hook: web_hook
config:
url: https://api.segment.io/v1/identify
method: POST
body: base64://${SEGMENT_IDENTIFY_JSONNET_BASE64}
auth:
type: basic_auth
config:
user: ${SEGMENT_WRITE_KEY}
password: ''
can_interrupt: false
response:
ignore: false
parse: false
code:
hooks:
- hook: session
oidc:
hooks:
- hook: session
password:
hooks:
- hook: show_verification_ui
- hook: session
webauthn:
hooks:
- hook: session
before:
hooks: []
enabled: true
lifespan: 30m0s
login_hints: true
ui_url: ${APP_URL}/signup
settings:
after:
hooks:
- hook: web_hook
config:
url: https://api.segment.io/v1/identify
method: POST
body: base64://${SEGMENT_IDENTIFY_JSONNET_BASE64}
auth:
type: basic_auth
config:
user: ${SEGMENT_WRITE_KEY}
password: ''
can_interrupt: false
response:
ignore: false
parse: false
lookup_secret:
hooks: []
oidc:
hooks: []
password:
hooks: []
profile:
hooks: []
totp:
hooks: []
webauthn:
hooks: []
before:
hooks: []
lifespan: 30m0s
privileged_session_max_age: 15m0s
required_aal: aal1
ui_url: ${APP_URL}/settings
verification:
after:
hooks: []
before:
hooks: []
enabled: true
lifespan: 30m0s
notify_unknown_recipients: false
ui_url: ${APP_URL}/verify
use: code
methods:
code:
config:
lifespan: 15m0s
enabled: true
passwordless_enabled: false
mfa_enabled: true
missing_credential_fallback_enabled: true
link:
config:
base_url: ''
lifespan: 15m0s
enabled: true
lookup_secret:
enabled: true
oidc:
config:
providers: []
enabled: false
password:
config:
haveibeenpwned_enabled: true
identifier_similarity_check_enabled: true
ignore_network_errors: true
max_breaches: 1
min_password_length: 8
enabled: true
profile:
enabled: true
totp:
config:
issuer: ${TOTP_ISSUER}
enabled: true
webauthn:
config:
passwordless: false
rp:
display_name: My App
id: ${ORY_PROJECT_SLUG}.projects.oryapis.com
origins:
- https://${ORY_PROJECT_SLUG}.projects.oryapis.com
enabled: false
session:
cookie:
persistent: false
same_site: Lax
lifespan: ${SESSION_LIFESPAN}
whoami:
required_aal: aal1
tokenizer:
templates: {} |
|
@aeneasr any idea where it could come from ? |
|
Set missing_credential_fallback_enabled to false |
|
@aeneasr it does not fixes the problem. I have modified my current config by:
I still have a 403 when I request a settings flow with a aal1 session. |
|
For existing accounts or for new accounts? It‘s possible that existing accounts may have the code credential already enabled due to the fallbackAm 11.02.2025 um 05:15 schrieb Samuel Briole ***@***.***>:
@aeneasr it does not fixes the problem.
I have modified my current config by:
setting the missing_credential_fallback_enabled to false
setting the selfservice.flows.settings.required_aal to highest_available
I still have a 403 when I request a settings flow with a aal1 session.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
I have the issue for new accounts. The identity schema is unchanged |
|
In that case it might be a bug in the implementation. Since I‘m currently PTO I am unable to reproduce and someone from the team needs to take some time to look into this. I think the problem is that the available AAL calculation does not take into account that the phone number is empty. To work around this I suggest to require the phone number during sign up. |
|
I took a brief look and it appears that CountSecondFactorCredentials for the code method is not respecting the identity credentials but instead always returning true if enabled. The problem is that normally the identity identifier and the code credential are the same field and hence the value is always set. Here however that is not the case as the code credential is an optional secondary field and not an identifier for the user. This is an edge case we have not encountered before. To work around this limitation here are several options:
|
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Preflight checklist
Ory Network Project
https://infallible-goldwasser-0tlns4dkt7.projects.oryapis.com
Describe the bug
This issue follows this discussion on Slack.
I have setup optional MFA on my Ory project. Users sign-up with email / password and then they can add MFA with SMS or TOTP.
When I create a new account, after signing-up with email and password, I try to load the
settingsflow on the/self-service/settings/browserendpoint but I get a 403 error.At this time, my session is
aal1and I have no MFA available because thephoneNumbertrait is empty. Also, my configuration for the settings flow isrequired_aal: highest_available, so anaal1session should match the requirements.Reproducing the bug
Relevant log output
the 403 response: { "error": { "id": "session_aal2_required", "code": 403, "status": "Forbidden", "reason": "An active session was found but it does not fulfill the requested Authenticator Assurance Level. Please verify yourself with a second factor to resolve this issue.", "details": { "redirect_browser_to": "http://localhost:4200/self-service/login/browser?aal=aal2" }, "message": "Session does not fulfill the requested Authenticator Assurance Level" }, "redirect_browser_to": "http://localhost:4200/self-service/login/browser?aal=aal2" }Relevant configuration
identity config:
identity schema:
Version
"@ory/client": "^1.15.7"
On which operating system are you observing this issue?
Ory Network
In which environment are you deploying?
Ory Network
Additional Context
No response
The text was updated successfully, but these errors were encountered: