Hello Team! I'm using Ory Cloud and using self-service APIs to register & login. Ory Cloud has been configured to accept 2FA. I'm able to call

/self-service/login/api

and subsequently the

/self-service/login

to authenticate - in this case, since no

aal

query parameter, a second challenge isn't provided. However, when I call

/self-service/login/api&aal=aal2

I get the following error:

{
	"error": {
		"id": "session_aal1_required",
		"code": 401,
		"status": "Unauthorized",
		"request": "f75f7d03-5d53-92fa-a8d0-SCRUBBED,
		"reason": "You can not requested a higher AAL (AAL2/AAL3) without an active session.",
		"message": "aal2 and aal3 can only be requested if a session exists already"
	}
}

How do I invoke/trigger the 2FA via apis? AFAI can tell from the docs, the use of self-service APIs requires the

flow

which is retrieved by invoking the

.../api

endpoint... and if

.../api

requires

aal

as Query parameter, how does one ever get a session first? Appreciate any thoughts & guidance. Thanks!

Are you looking at authentication/2FA for an API Client or a Client without a Browser? If the end user is on a browser you need to use /login/browser/ Would you mind reposting in #cloud if the issue persists? This lets us keep track of it better, thanks 🙏

Of course!

Hi @wooden-monitor-66999 I was having the same problem with self-hosted. Here is how I solved it as a 2 step process: 1. Start the flow for username password. /self-service/login/api - Once you submit username / password, you get a session back with aal1

json
...
"authentication_methods": [
    {
      "method": "password",
      "aal": "aal1",
      "completed_at": "2022-09-28T21:53:17.7964093Z"
    }
...

2. Start 2nd flow with: /self-service/login/api&aal=aal2 - be sure to send the session token from first flow in header - X-Session-Token: WbD0IgkwJmu1mYZicNhROvH1La8Yrw0Q - along with 2fa in body, e.g: POST /self-service/login?flow=a631ed7e-42ca-42d8-9f31-1eb57d91c98d HTTP/1.1 Host: 127.0.0.1:4434 User-Agent: OpenAPI-Generator/1.0.0/go Content-Length: 39 Accept: application/json Content-Type: application/json X-Session-Token: WbD0IgkwJmu1mYZicNhROvH1La8Yrw0Q Accept-Encoding: gzip {"method":"totp","totp_code":"478360"} - then you will have a session with aal2

json

GET /sessions/whoami HTTP/1.1
Host: 127.0.0.1:4434
User-Agent: OpenAPI-Generator/1.0.0/go
Accept: application/json
X-Session-Token: WbD0IgkwJmu1mYZicNhROvH1La8Yrw0Q
Accept-Encoding: gzip

HTTP/1.1 200 OK
Content-Length: 1220
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: application/json; charset=utf-8
Date: Thu, 29 Sep 2022 02:47:01 GMT
Vary: Origin
Vary: Cookie
X-Kratos-Authenticated-Identity-Id: 0ef6ac4e-cc63-47a1-b6d9-4f2eb5f58630

...
  "authentication_methods": [
      {
        "method": "password",
        "aal": "aal1",
        "completed_at": "2022-09-28T20:55:57.7402272Z"
      },
      {
        "method": "totp",
        "aal": "aal2",
        "completed_at": "2022-09-28T20:55:57.8174699Z"
      }
    ],
...