Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello. I think I found an issue with 2FA Login flow when combined with Hydra Login Challenge and using JSON instead of form data media type.
When using similar setup, but sending form data instead of JSON, it works well since Kratos does 303 redirect with aal=aal2 parameter added.
More details here:
<https://github.com/ory/kratos/discussions/3408>

:thinking_face: That scenario may have been overlooked during this fix: <https://github.com/ory/kratos/pull/3271>

The `AcceptLoginRequest` should probably come after the `requiresAAL2`.

Yes, I think so - the login challenge gets accepted before checking if AAL2 is required

There is something similar ongoing but related to registration flow instead of login and verification instead of AAL2: <https://github.com/ory/kratos/pull/3412/files>