I am setting up TOTP. The blow is the intial request to login with the user’s credentials, I then call toSession to check if the user requires aal2. I switch to displaying the totp form to enter verification.

const response = await ory.updateLoginFlow({
        flow: flow.id,
        updateLoginFlowBody: {
          csrf_token: csrfToken,
          method: SessionAuthenticationMethodMethodEnum.Password,
          ...values,
        },
      });

      try {
        await ory.toSession();
      } catch (err: any) {
        if (err.response.data.error.id === 'session_aal2_required') {
          console.log(err);
          debugger;
          router.push(
            `/login?aal=aal2${
              search?.has('return_to') ? `&return_to=${search.get('return_to')}` : ''
            }`
          );
          return;
        }
      }

Once the code is entered I call updateLoginFlow with the same flow id as the above but it responses with “valid session already exists and thus can’t complete login”

const response = await ory.updateLoginFlow({
        flow: flow.id,
        updateLoginFlowBody: {
          csrf_token: csrfToken,
          method: SessionAuthenticationMethodMethodEnum.Totp,
          totp_code,
        },
      });

Anyone have insights into what I’m doing incorrectly. A note that the account I’m testing has totp active as the toSession call is returne the

session_aal2_required

It seems like you’re on the right track! However, there are a few things you might want to check: 1. Session Status: The error message “valid session already exists and thus can’t complete login” suggests that the user is already signed in. This is indicated by the

session_already_available

error in the API Reference. You might want to check the session status before attempting to update the login flow. 2. Required Level of Authentication: When initializing the second authentication factor, the user must already have a valid session cookie. The

/sessions/whoami

endpoint returns an error with the

session_aal2_required

ID if the user is required to complete a second factor. This is mentioned in the Advanced Integration documentation. 3. TOTP Configuration: Ensure that TOTP has been correctly enabled for the user’s account. The user must enable TOTP in their own account by pairing their account with a TOTP app. This is detailed in the TOTP Authentication documentation. If you’re still encountering issues, you might want to refer to the Cypress tests used in Ory Identities (Ory Kratos) for TOTP implementation as a reference.

2. The ory.toSession is coming back with the sesion_aal2_required so trigger for the display is working as expected. To confirm this is correct? And the flow.id should be the same as used for submitting the initial username+pw credentials.

const response = await ory.updateLoginFlow({
        flow: flow.id,
        updateLoginFlowBody: {
          csrf_token: csrfToken,
          method: SessionAuthenticationMethodMethodEnum.Totp,
          totp_code,
        },
      });

I had similar problem and here is my 2 cents - it works for me to add

refresh=true

query parameter as someone needs to be authenticated by aal2

/login?aal=aal2&refresh=true

and then the ory can "handle" the new flow for the valid session in cookies

Thank you @alert-rain-4709 I also noted later in the day that the kratos ui example generates a new flow for the totp call. I’ll little unintuitive for me since my thought is 1 flow should handle tracking all auth sequences but seems that is more the session.