https://www.ory.sh/ logo
Join Slack
Powered by
Hi Ory :wave: I’m experimenting with OIDC in Ory N...
# ory-network
h
Hi Ory 👋 I’m experimenting with OIDC in Ory Network. I’m performing multiple sequential authorization flows, and Ory asks for my password (or any second factor) on each login authorization attempt. Is that expected? I’m pretty sure it did not work this way a couple months ago.
To elaborate, I’m doing this repeatedly
Copy code
ory perform authorization-code --project $ORY_PROJECT_ID --client-id $ORY_CLIENT_ID --client-secret $ORY_CLIENT_SECRET --scope openid,email,profile,offline_access
I’m getting this “Two-Factor Authentication” on each subsequent login. I have even disabled the 2FA in the whole project, but it has no effect so far.
On top of that I can’t even use 
--prompt=none
because it also, apparently, wants the second factor and responds with 
login_required
error.
p
Hi @handsome-agency-20541 This looks like a bug, does this happen only when doing an oidc flow? or does this happen in other cases as well?
h
I haven’t tested other cases, to be honest. Can you suggest something simple to test?
https://….<http://projects.oryapis.com/ui|projects.oryapis.com/ui>
pages open normally without asking for the password.
f
ok, that is really strange, haven't seen this behavior. what auth methods have you configured as 1st and 2nd factor?
h
@fast-lunch-54279 I have experimented with multiple methods, having password, lookup secrets, and WebAuthn configured at various points in time. I think I also have had passwordless login enabled for some time. Currently I have all 2FA things disabled (at least as it looks so in the Ory Network admin console) to isolate the problem.
A random guess: maybe something went wrong in the configuration under the hood that triggers this behaviour? I can share the project ID/slug with you in DM, if it helps.
p
To me this looks like a refresh flow, so somewhere the 
refresh=true
query parameter is added or the request is to something that requires a privileged session.
h
What if I’m implementing a SSO and have no idea whether a user has an active Ory session or not?
p
What do you mean? The flow would just fallback to the login flow if the user has no session. With a session it depends since the login provider, the provider can ask for 2fa or in the case of refreshing the session, ask for the credentials again.
h
Ah, ok, that sounds promising. I will re-read the docs and report back.
p
a lot of it is dependent on the project settings and some of the behavior can be different depending on the UI implementation as well (like adding 
?refresh=true
to create login flow).
h
@proud-plumber-24205 I’m a bit confused. I’m trying to use OIDC with the default Ory Network UI, so the only place I found to add 
refresh=true
is “Customize / User Interface / Login UI” field. It did not help. In dev tools I see a sequence of redirects which passes through this one
Copy code
/self-service/login/browser?aal=&refresh=&return_to=&login_challenge=3ffbf5a86ee94328b8434c32427e54c7
If I remove 
login_challenge
parameter, the login flow no longer asks for the password or the second factor. So, apparently, it is something from Hydra that makes Kratos re-check the credentials. I’m not yet sure how I can influence this process.
something from Hydra
On the second thought, could be something in Kratos just in the presence of Hydra interop. So I’m just guessing here 😐
p
I see, I would need to check this. Would it be possible to add everything to an issue on https://github.com/ory/network/issues, on slack things get lost. It could be the UI also falling back to this login refresh flow unnecessarily. Will need to check it out
h
Would it be possible to add everything to an issue
Absolutely. It will take me some time to collect all the pieces in a readable bunch, but I’ll do that.
p
thank you 🙏
🤝 2
h
Hey 👋 I know I’m yet to post an issue, but I’ve been trying to narrow the problem down, and perhaps I have found something. I’m not proficient in Go, but I guess this block is in play here:
Copy code
if !hlr.GetSkip() {
  h.d.SelfServiceErrorManager().Forward(r.Context(), w, r, errors.WithStack(herodot.ErrInternalServerError.WithReason("ErrAlreadyLoggedIn indicated we can skip login, but Hydra asked us to refresh")))
  return
}
I have checked the output of 
/admin/oauth2/auth/requests/login?login_challenge=…
for the challenge mentioned in the subsequent login flow, and it has 
"skip": false
. The doc states: 
skip
required boolean
Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL.
Getting 
false
seems wrong, since I’m requesting the same scopes each time (openid,email,profile,offline_access); tried with both “skip consent” option enabled and disabled for my test OIDC client.
@proud-plumber-24205 I think we don’t need a new issue. https://github.com/ory/network/issues/194 seems to fit the problem perfectly.
I’m pretty sure it did not work this way a couple months ago.
Since that bug was filed in December, either it requires some specific conditions, or my memory misleads me 😅
If it is possible to enable a debug logging in Ory Network Hydra, I can serve as a guinea pig to see which of the exit reasons we hit here.
p
Thank you for that, this look like the same problem. It would be good to add the steps you took to get the error to this issue as well. The more information on the problem the easier it is to fix 🙂
At the moment it isn't possible to get the logs stream directly since we don't expose it to the public yet. I can take a look at it this week to narrow down the problem
Would actually be a good idea if you could send me your project slug
in a DM please, then I can use that to look through the logs
h
Please let me know if you get to it. I may be available for a live-debugging session. Will DM you the project details in a moment.
For those who may be reading this thread – https://github.com/ory/network/issues/194#issuecomment-1483034999
3 Views
Open in Slack
PreviousNext
Powered by