You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For a new project (dutch education) we need to enforce a 2FA check when the user wants to do something special (e.g. some admin functionality or view gpdr data). So normally the user logs in with e.g. Office365 via Kratos and gets access (via Hydra based on ID Token) but on some parts in the application we need to dynamically ask for a MFA (e.g. totp).
I can retrieve the "amr" values in the ID Token when the user has done an AAL2 login somehow, so that's not the problem:
"amr": ["oidc","totp"]
I tried different kind of extra parameters to the "auth" call, like "acr_values=2", "aal=aal2":
and a second one, using the same Hydra database and connected to the same Kratos instance, but with an extra AAL login parameter:
serve:
admin:
port: 4442 # different port than default 4445
public:
port: 4443 # different port than default 4444
urls:
self:
issuer: http://localhost:4443
consent: http://localhost:4455/consent
login: http://localhost:4455/login?aal=aal2 # enforce 2FA!
So the application initially requests an ID token using Hydra#1 and when the user wants to do some admin stuff it will request an ID token using Hydra#2 (and checks the "amr" claim of the JWT).
Version
oryd/hydra:v2.2
Additional Context
No response
The text was updated successfully, but these errors were encountered:
@vinckr Yes I know :).
We will use Kratos as a "federation" hub and the user should be able to choose between Office365 (teachers or employees of our customer), our own legacy IDP and 2 educational OIDC providers (students) so we have one single "identity" server. Our customer has several (external) web apps which needs an identity on a standardized way so they choose OIDC with PKCE.
AFAIK Kratos can connect with OIDC providers but we need Hydra so others can connect to us using OIDC?
For another project, we use Kratos + oauthkeeper but there we have internal apps (behind the api gateway).
Preflight checklist
Ory Network Project
No response
Describe your problem
For a new project (dutch education) we need to enforce a 2FA check when the user wants to do something special (e.g. some admin functionality or view gpdr data). So normally the user logs in with e.g. Office365 via Kratos and gets access (via Hydra based on ID Token) but on some parts in the application we need to dynamically ask for a MFA (e.g. totp).
I can retrieve the "amr" values in the ID Token when the user has done an AAL2 login somehow, so that's not the problem:
"amr": ["oidc","totp"]
I tried different kind of extra parameters to the "auth" call, like "acr_values=2", "aal=aal2":
But these params are not handled, so the Kratos redirect stays the same (no "aal" value):
Describe your ideal solution
The workaround (see below) feels weird of course: is there an other/better way to do this?
Or can Hydra be extended with a "acr_values" parameter:
Or with "amr_values" likes Microsoft:
Or maybe pass the "aal=aal2" parameter to Kratos?
Workarounds or alternatives
The only way I could get it working (locally) was using 2 Hydra instances:
So the application initially requests an ID token using Hydra#1 and when the user wants to do some admin stuff it will request an ID token using Hydra#2 (and checks the "amr" claim of the JWT).
Version
oryd/hydra:v2.2
Additional Context
No response
The text was updated successfully, but these errors were encountered: