Hia, have been working on a self-service UI with kratos, and it seems like

/self-service/settings/browser

will redirect to

/self-service/login/browser

with nothing making it redirect back to settings - it just authenticates. I found that

/self-service/login/browser?return_to=/self-service/settings/browser&aal=aal2

works as intended, but I'm not sure if that behavior is a bug on my end, or kratos, or not a bug at all? Thank you! Edit: Have been looking at this more, and just getting more confused... Updating a login flow with a form request does what it's supposed to: redirect you to an aal2 flow, but with an XHR flow update it doesn't return a

return_to

that redirects to an aal2 flow, nor does it return a 400 with a new UI - it just returns successful login with a null identity Seems like Kratos will also accept a hydra login challenge without the second factor like this and redirect back to hydra? So is there actually a way to actually enforce aal2 without a null-identity session being created? I don't think it's a good idea to check aal on the hydra consent screen Overall, is there a way to simply enforce

highest_available

? I'm just not really sure what to do at all at this point