Hello, I have an issue with my instance on Ory Net...
# ory-networkf
fancy-evening-36350
12/26/2024, 11:32 AMHello, I have an issue with my instance on Ory Network: After signing-up or signin-in with a password, I can't load the settings flow. I get a 403 on
/self-service/settings/browseraal1 Copy code
selfservice:
flows:
settings:
required_aal: highest_available
# ...
session:
whoami:
required_aal: aal1aal137f4eaf2-c2f2-46da-ba16-e1e1e4fc8c1cb
bland-eye-99092
12/27/2024, 10:17 AMWhat's the response body from the 403 response? And do you use email OTP for MFA?
f
fancy-evening-36350
12/30/2024, 3:50 PMHere is the body response:
Copy code
{
"error": {
"id": "session_aal2_required",
"code": 403,
"status": "Forbidden",
"reason": "An active session was found but it does not fulfill the requested Authenticator Assurance Level. Please verify yourself with a second factor to resolve this issue.",
"details": {
"redirect_browser_to": "<http://localhost:4200/self-service/login/browser?aal=aal2>"
},
"message": "Session does not fulfill the requested Authenticator Assurance Level"
},
"redirect_browser_to": "<http://localhost:4200/self-service/login/browser?aal=aal2>"
}fancy-evening-36350
12/30/2024, 3:52 PMI'm using both TOTP or SMS for MFA
b
bland-eye-99092
01/02/2025, 11:34 AMIf you have configured SMS for MFA a second factor is available for the session so, this works as intended AFAICT.
f
fancy-evening-36350
01/02/2025, 11:47 AMNo because the at this point there is no phone number in the user's traits. My workflow is the following:
1)The user signs up with email & password (phone number is empty in traits at this step)
2) The user sets up MFA (phone number OR totp): he loads a settings flow => this is where I get the 403.
How could the user get a aal2 session if he did not fill his phone number yet ?
b
bland-eye-99092
01/02/2025, 12:04 PMHm, I see. What's your identity schema?
f
fancy-evening-36350
01/02/2025, 3:50 PM Copy code
{
"$schema": "<http://json-schema.org/draft-07/schema#>",
"$id": "<https://schemas.ory.sh/presets/kratos/identity.email.schema.json>",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"first_name": {
"title": "First Name",
"type": "string"
},
"last_name": {
"title": "Last Name",
"type": "string"
},
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"<http://ory.sh/kratos|ory.sh/kratos>": {
"credentials": {
"password": {
"identifier": true
},
"webauthn": {
"identifier": true
},
"totp": {
"account_name": true
}
},
"recovery": {
"via": "email"
},
"verification": {
"via": "email"
}
},
"maxLength": 320
},
"phoneNumber": {
"type": "string",
"format": "tel",
"title": "Phone Number",
"<http://ory.sh/kratos|ory.sh/kratos>": {
"credentials": {
"code": {
"identifier": true,
"via": "sms"
}
},
"verification": {
"via": "sms"
}
}
},
"preferences": {
"type": "object",
"properties": {
"locale": {
"type": "string",
"title": "Locale",
"enum": [
"en",
"fr"
]
},
"theme": {
"type": "string",
"title": "Theme",
"enum": [
"light",
"dark",
"system"
]
}
},
"required": [
"locale",
"investorAppMode"
],
"additionalProperties": false
},
"referralCode": {
"title": "Referral code",
"type": "string"
}
},
"required": [
"first_name",
"last_name",
"email",
"preferences"
],
"additionalProperties": false
}
}
}b
bland-eye-99092
01/02/2025, 5:18 PMOkay, this could be a bug. Could you create an issue in github.com/ory/network? We will take a look there. Thank you!
f
fancy-evening-36350
01/03/2025, 11:21 AMHi @bland-eye-99092 I have just created an issue : https://github.com/ory/network/issues/409
4 Views