Hello Ory Team I m facing an issue in my application when us Ory Community #ory-network

Hello Ory Team, I'm facing an issue in my applicat...

modern-caravan-99632

03/27/2025, 7:15 AM

Hello Ory Team, I'm facing an issue in my application when using Ory SDK and Ory elements to create login, recovery, and settings flows. For some reason, when MFA is enabled, the screen redirects to the login page saying (Verify it's you, which shouldn't happen, especially for recovery, I tried testing using the examples provided in the Ory elements repo, and I'm getting the same issues where I keep getting stuck in a redirect loop, the only way to get out of it is to copy the

redirect_browser_to

link from the response, then log in on Ory and navigate back to my application. I saw a thread here related to Kratos and having MFA enabled for settings. In the SDK, is there a way to disable MFA during recovery?!

magnificent-energy-493

03/27/2025, 6:56 PM

Hello @modern-caravan-99632 I did not test it but I think the root cause is related to how Ory handles the required Authenticator Assurance Level (AAL) for settings flows when MFA is enabled. By default, Ory uses a "Strict" model where settings operations require the highest available AAL (highest_available), which means users need to complete all configured authentication factors. You can set the required AAL to

aal1

instead of

highest_available

for the settings flow:

Copy code

selfservice:
  flows:
    settings:
      required_aal: aal1

this allows users to access settings after recovery without completing the second factor, which should prevent the redirect loop.

modern-caravan-99632

03/27/2025, 7:00 PM

Hi @magnificent-energy-493, I am using Ory Network and Ory Client SDK, How can I set these fields using the SDK?!

magnificent-energy-493

03/27/2025, 7:01 PM

You can set them using the Ory CLI: https://www.ory.sh/docs/guides/cli/identity-cli

magnificent-energy-493

03/27/2025, 7:01 PM

export the config:

ory get identity-config --project <project-id> --workspace <workspace-id> --format yaml > identity-config.yaml

make changes and import again

ory update identity-config --project <project-id> --workspace <workspace-id> --file config.yaml

modern-caravan-99632

03/27/2025, 7:07 PM

Is there another way other than the CLI @magnificent-energy-493?! Just confirming that it can't be done using the admin APIs?

magnificent-energy-493

03/27/2025, 7:27 PM

Yes generally the Ory CLI is just a wrapper for the API, you can also use this API: • https://www.ory.sh/docs/reference/api#tag/project/operation/patchProject • https://www.ory.sh/docs/reference/api#tag/project/operation/setProject personally I find the CLI easier to use to edit the config though.

modern-caravan-99632

03/27/2025, 7:39 PM

Yes, you are right makes sense. Thanks @magnificent-energy-493, for your support

modern-caravan-99632

03/27/2025, 10:00 PM

@magnificent-energy-493 This fixed the Recover redirect loop, But the login is still getting stuck when MFA is enabled My local development link get redirected to aal2 http://localhost:3000/login?aal=aal2 but I don't get the MFA screen, The same is happening in the example provided by Ory elements

Copy code

{
  "error": {
    "id": "browser_location_change_required",
    "code": 422,
    "status": "Unprocessable Entity",
    "reason": "In order to complete this flow please redirect the browser to: <http://localhost:3009/self-service/login/browser?aal=aal2>",
    "message": "browser location change required"
  },
  "redirect_browser_to": "<http://localhost:3009/self-service/login/browser?aal=aal2>"
}

modern-caravan-99632

03/27/2025, 10:38 PM

Oh it's an issue in the example code. I fixed it, and I will open a PR

magnificent-energy-493

03/28/2025, 12:47 AM

Thanks so much 🙏 feel free to tag me in the PR, will see to get some more eyes on it

3 Views

Open in Slack

Previous Next