so your complete login process needs to be something like: 1. Get login flow 2. (user completes form) 3. UpdateLoginFlow 4. on success: a. check session via

whoami

(or assume everything is ok if the response from UpdateLoginFlow includes an identity b. if success i. continue app startup c. if fail i. check error id. It will probably be

session_aal2_required

ii. Redirect the user to an aal2 login flow, goto 1