AAL escalation redirect with hydra challenge produces unnecessary message

Open K3das opened this issue 2 years ago • 0 comments

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[X] I have joined the Ory Community Slack.
[X] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

If required AAL for whoami is configured as highest_available, after login, Kratos will create a session and attempt to escalate AAL. Due to the presence of a login challenge, the AAL2 flow is set to refresh, and an unnecessary "Please confirm this action by verifying that it is you" message is displayed.

Reproducing the bug

Have a kratos instance with hydra, configured to a highest_available AAL, and a user with MFA
Start a hydra OIDC flow
Login
Unnecessary "Please confirm this action by verifying that it is you" message is displayed

Screencast from 2023-12-21 13-48-10.webm

(Video is with a custom self-service UI, but same behavior is reproducible with selfservice-ui-node)

Relevant log output

No response

Relevant configuration

No response

Version

master

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

A possible solution to set refresh to false if a session's identity is nil, but I don't know the further implications of this.

Dec 21 '23 22:12 K3das