Dynamic MFA needed for Hydra with Kratos

[andremussche]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

For a new project (dutch education) we need to enforce a 2FA check when the user wants to do something special (e.g. some admin functionality or view gpdr data). So normally the user logs in with e.g. Office365 via Kratos and gets access (via Hydra based on ID Token) but on some parts in the application we need to dynamically ask for a MFA (e.g. totp).

I can retrieve the "amr" values in the ID Token when the user has done an AAL2 login somehow, so that's not the problem:

• "amr": ["oidc","totp"]

I tried different kind of extra parameters to the "auth" call, like "acr_values=2", "aal=aal2":

• http://localhost:4444/oauth2/auth?audience=&client_id=XXX&max_age=0&nonce=XXX&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A4446%2Fcallback&response_type=code&scope=openid+profile+email+school&state=XXXX&acr_values=2

But these params are not handled, so the Kratos redirect stays the same (no "aal" value):

• http://localhost:4433/self-service/login/browser?aal=&refresh=&return_to=&login_challenge=XXXXX

Describe your ideal solution

The workaround (see below) feels weird of course: is there an other/better way to do this?

Or can Hydra be extended with a "acr_values" parameter:

• https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

Or with "amr_values" likes Microsoft:

• https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oapx/0fc398ca-88d0-4118-ae60-c3033e396e60

Or maybe pass the "aal=aal2" parameter to Kratos?

Workarounds or alternatives

The only way I could get it working (locally) was using 2 Hydra instances:

1. a normal one, with normal config:

urls:
  self:
    issuer: http://localhost:4444
  consent: http://localhost:4455/consent
  login: http://localhost:4455/login

2. and a second one, using the same Hydra database and connected to the same Kratos instance, but with an extra AAL login parameter:

serve:
  admin:
    port: 4442  # different port than default 4445
  public:
    port: 4443 # different port than default 4444

urls:
  self:
    issuer: http://localhost:4443
  consent: http://localhost:4455/consent
  login: http://localhost:4455/login?aal=aal2   # enforce 2FA!

So the application initially requests an ID token using Hydra#1 and when the user wants to do some admin stuff it will request an ID token using Hydra#2 (and checks the "amr" claim of the JWT).

Version

oryd/hydra:v2.2

Additional Context

No response

[andremussche]

Maybe this is an option too: instead of a separate instance, make it configurable per client: #3205

[vinckr]

Have you seen this: https://www.ory.sh/docs/kratos/mfa/step-up-authentication

Maybe your use case would be much easier if you leave out the OAuth2 part.

What is the reason to involve Hydra? IMHO OAuth2 is overkill for most projects.

Assume we know nothing about what you are trying to do, only thing we know is that you are building a new project in education.

[andremussche]

@vinckr Yes I know :).
We will use Kratos as a "federation" hub and the user should be able to choose between Office365 (teachers or employees of our customer), our own legacy IDP and 2 educational OIDC providers (students) so we have one single "identity" server. Our customer has several (external) web apps which needs an identity on a standardized way so they choose OIDC with PKCE.
AFAIK Kratos can connect with OIDC providers but we need Hydra so others can connect to us using OIDC?
For another project, we use Kratos + oauthkeeper but there we have internal apps (behind the api gateway).