During the OAuth2 login flow, when the user has 2FA enabled, the LoginFlow may be in a weird state

[BrandonNoad]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [X] I have joined the Ory Community Slack.
• [X] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

dazzling-chandrasekhar-msru5m4b1c

Describe the bug

During the OAuth2 flow, after submitting the email/password, the user is redirected to a URL similar to the following: https://account-flows-test.bonfirehub.com/self-service/login/browser?aal=aal2&login_challenge=[…]&return_to=https%3A%2F%2Fdazzling-chandrasekhar-msru5m4b1c.projects.oryapis.com%2Foauth2%2Fauth%3F[...], which looks correct.

But the LoginFlow returned by Ory from that request has both "requested_aal": "aal2" AND "refresh": true.

I’m not sure why refresh is true here. It is causing an issue for us because when refresh is true, our code attempts to look up the user’s current session (the one we are refreshing) so we can display the email address of the account the user is logged in as.

But in this case, the session lookup fails (I believe with a 403, Session has a lower AAL than required for the identity error).

All that said, is "refresh": true expected here? Or is it a bug?

In ory/elements, the UserAuthCard will display "Confirm it's you" instead of "Two-Factor Authentication" in this scenario.

https://github.com/ory/elements/blob/main/src/react-components/ory/user-auth-card.tsx#L129

May be related to https://github.com/ory/kratos/discussions/2742

Reproducing the bug

Start the OAuth2 Login flow with a user that has 2FA enabled. After submitting email/password, the user should be redirected to the page where the user submits the 2FA code. If you inspect the LoginFlow object, it should have both refresh: true and requested_aal: 'aal2'.

Relevant log output

No response

Relevant configuration

No response

Version

Ory Network

On which operating system are you observing this issue?

Ory Network

In which environment are you deploying?

Ory Network

Additional Context

No response

[BrandonNoad]

Also, the LoginFlow contains the messages for both the refresh and the aal2 scenarios

[aeneasr]

I looked into this, but it's not trivial to understand where the refresh parameter is coming from in this scenario. Could you - like Ory Elements, ignore the refresh value if AAL2 is required?

[BrandonNoad]

Yes, we are currently ignoring flow.refresh when flow.requested_aal === 'aal2'.

But I wasn't sure if we might be ignoring a valid case that could lead to bugs in the future.