This message was deleted.

The docs page explains what fields are considered privileged, and only for those you need to have a privileged session

So only traits marked as identifiers are considered privileged? Or are

username

and

email

hardcoded privileged traits? When I try to update a custom trait like

last_name

using a

profile

settings flow, I have to send the values of all the schema traits. Otherwise, the request will fail with a 400 error (e.g. "Property email is missing" if I don't include the email trait in the request). If I include all the fields, even if none of them have changed, I get a 403 error ("The requested action was forbidden"). What is the proper way to update the profile of a user? Thanks, Patrik.

There is a new setting to skip 2FA for settings (which I know is different from privileged sessions, but similar to your GitHub example)

I'm not using Ory Network (I assume the screenshot comes from there), and I'm not even using 2FA for now. My initial idea is just to request the user to re-authenticate when they want to change any sensitive field (and not all of them), but it seems like I don't understand how privileged sessions and the settings flow work 😞

the fields are derived from the schema metadata, essentially how you set a field to be the password identifier

That bug was fixed: https://github.com/ory/network/issues/273

ah true, even your bug @limited-photographer-61008 😂

I'm not sure that issue is related to my question. Anyway, I'll take a look at the code and I'll open a GitHub issue if I see anything relevant or if I cannot figure it out. Thanks!