2FA is bypassed when combined with Hydra and JSON login #3408
Unanswered
jpogorzelski
asked this question in
Q&A
Replies: 1 comment
-
Interesting find :) We'll have to take a look at this then! Contributions are also welcome :) |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
We have following setup:
In our case Kratos is completely separated from the Internet and every interaction goes through Hydra or Backend App.
The usual login flow looks like this:
/oauth2/auth?client_id=...
)frontendApi.createBrowserLoginFlow
from Ory Client)frontendApi.updateLoginFlow
) and Kratos calls hook to Accept OAuth2 Login Challenge in Hydra.It works well unless user have configured MFA (e.g. TOTP), and it is configured to be required for login (
session.whoami.required_aal=highest_available
)Unless we modify the Backend app to make an extra call to
/sessions/whoami
, there is no way of knowing that AAL2 is required:"requested_aal": "aal1"
Is that intended behavior in Kratos Login Flow? I think AAL2 verification should happen before calling Hydra().AcceptLoginRequest.
Additional Info:
I found this part responsible for handling JSON login requests:
selfservice/flow/login/hook.go
Beta Was this translation helpful? Give feedback.
All reactions