https://www.ory.sh/ logo
Join Slack
Powered by
s
2
b
A message from kapa.ai
To change the Authenticator Assurance Level (AAL) from 
aal1
to 
aal2
in Ory Kratos, you need to perform a "step-up" authentication by initiating a new login flow that requires the user to complete a second authentication factor (such as TOTP, SMS, or WebAuthn). Here’s how you can do it: 1. Start a new login flow with AAL2 required: Redirect the user to the login endpoint with the 
aal=aal2
query parameter. For example:
Copy code
/self-service/login/browser?aal=aal2
or, for API flows:
Copy code
/self-service/login/api?aal=aal2
2. User completes the second factor: The user will be prompted to provide their second authentication factor (e.g., enter a TOTP code or SMS code). Once they successfully complete this step, their session will be upgraded to 
aal2
. 3. Session is now AAL2: After successful authentication, the session’s 
authenticator_assurance_level
will be set to 
aal2
. You can verify this by checking the session object (e.g., using the 
/sessions/whoami
endpoint). If the session is already at 
aal2
and you want to force re-authentication, you can add the 
refresh=true
parameter:
Copy code
/self-service/login/browser?refresh=true&aal=aal2
This process ensures that the user has completed both the primary and secondary authentication factors, thus elevating the session from 
aal1
to 
aal2
[Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication) [Check AAL](https://www.ory.sh/docs/identities/get-started/mfa#check-aal). Note: The available second factors depend on your Ory Kratos configuration (TOTP, SMS, WebAuthn, etc.). Make sure the user has set up a second factor before requiring 
aal2
.
s
@chilly-king-10285 response of sessions/whoami
Copy code
{
  "id": "a2f70ebe-ca9f-429a-9da5-07c9ffbcba12",
  "active": true,
  "expires_at": "2025-05-28T07:04:13.918283Z",
  "authenticated_at": "2025-05-27T07:04:13.918283Z",
  "authenticator_assurance_level": "aal1",
  "authentication_methods": [
    {
      "method": "password",
      "aal": "aal1",
      "completed_at": "2025-05-27T07:04:13.918276388Z"
    }
  ],
  "issued_at": "2025-05-27T07:04:13.918283Z",
  "identity": {
    "id": "e475e488-d1ac-4f52-88df-f13b68413b00",
    "schema_id": "md-dashboard",
    "schema_url": "<http://kratos:4433/schemas/bWQtZGFzaGJvYXJk>",
    "state": "active",
    "state_changed_at": "2025-05-02T10:56:16.703318Z",
    "traits": {
      "username": "VNSuser001"
    },
    "metadata_public": null,
    "created_at": "2025-05-02T10:56:16.704271Z",
    "updated_at": "2025-05-02T10:56:16.704271Z",
    "organization_id": null
  },
  "devices": [
    {
      "id": "292126e4-4285-4e27-876a-0a345bc6c559",
      "ip_address": "",
      "user_agent": "bruno-runtime/2.3.0",
      "location": ""
    }
  ]
}
b
A message from kapa.ai
Your session response from the 
/sessions/whoami
endpoint shows that the current session has an 
authenticator_assurance_level
of 
"aal1"
, and the only authentication method used is 
"password"
. This means the user has only completed the first authentication factor and has not yet performed a second factor (such as TOTP, WebAuthn, or another supported method). To change the session from 
aal1
to 
aal2
, you need to initiate a step-up authentication flow that requires the user to complete a second authentication factor. Here’s how you can do it: 1. Redirect the user to a login flow requiring AAL2: Send the user to the login endpoint with the 
aal=aal2
parameter, for example:
Copy code
/self-service/login/browser?aal=aal2
This will prompt the user to complete a second authentication factor (such as TOTP or WebAuthn) if they have one configured. 2. After successful completion: Once the user completes the second factor, their session will be upgraded to 
aal2
. You can verify this by checking the 
authenticator_assurance_level
in the session response again—it should now be 
"aal2"
and the 
authentication_methods
array will include the second factor (e.g., 
"totp"
or 
"webauthn"
). This process is described in the Ory documentation for step-up authentication and multi-factor authentication flows. If the user does not have a second factor configured, they will need to set one up before they can achieve 
aal2
status [Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication). Summary: Your current session is 
aal1
(single factor). To upgrade to 
aal2
, initiate a login flow with 
aal=aal2
and complete the second factor challenge. Afterward, the session will reflect 
aal2
if successful.
s
@chilly-king-10285 i get error with 
self-service/login/browser?aal=aal2
Copy code
{
  "error": {
    "id": "session_aal1_required",
    "code": 401,
    "status": "Unauthorized",
    "reason": "You can not requested a higher AAL (AAL2/AAL3) without an active session.",
    "message": "aal2 and aal3 can only be requested if a session exists already"
  }
}
b
A message from kapa.ai
The error message you are seeing:
Copy code
json {   "error": {     "id": "session_aal1_required",     "code": 401,     "status": "Unauthorized",     "reason": "You can not requested a higher AAL (AAL2/AAL3) without an active session.",     "message": "aal2 and aal3 can only be requested if a session exists already"   } }
means that you are trying to initiate a login flow with 
aal=aal2
without having an active session. According to the Ory documentation, requesting a higher AAL (like 
aal2
) is only possible if the user already has an active session (i.e., is already logged in with at least 
aal1
). If there is no session, you must first perform a standard login (without the 
aal=aal2
parameter) to establish an 
aal1
session. Once the user is authenticated and has an active session, you can then initiate the step-up authentication to 
aal2
by redirecting them to the login flow with 
aal=aal2
 [Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication). Summary of steps: 1. User logs in normally (no 
aal
parameter) to get an 
aal1
session. 2. With an active session, redirect to 
/self-service/login/browser?aal=aal2
to trigger the second factor and upgrade to 
aal2
. If you try to request 
aal2
without an active session, you will get the error you posted. This behavior is confirmed in the Ory documentation and API reference [createBrowserLoginFlow](https://www.ory.sh/docs/kratos/reference/api) and [step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication).
s
@chilly-king-10285 when i login i get error:
Copy code
curl --request POST \
  --url '<http://127.0.0.1:4455/kratos/self-service/login?flow=8f797da8-a42a-46dd-bde0-69f91cf424fb>' \
  --header 'content-type: application/json' \
  --header 'cookie: {{oryKratosSession}};{{loginFlowCookie}}' \
  --cookie '{{oryKratosSession}};{{loginFlowCookie}}' \
  --data '{
  "csrf_token": "{{loginFlowCsrf}}",
  "method": "totp",
  "totp_code": "708589" // Replace with the code from your app
}'
Copy code
"messages": [
      {
        "id": 4000011,
        "text": "You have no TOTP device set up.",
        "type": "error"
      }
    ]
b
A message from kapa.ai
The error message you are seeing:
Copy code
json {   "id": 4000011,   "text": "You have no TOTP device set up.",   "type": "error" }
means that the user account you are trying to log in with does not have a TOTP (Time-based One-Time Password) device configured. In Ory Kratos, before you can use the TOTP login method, the user must first pair their account with a TOTP app (such as Google Authenticator or FreeOTP) in their account settings. Only after this setup can you use the TOTP code for login. What you need to do: 1. Log in with a primary method (such as password). 2. Go to the account settings and enable TOTP by pairing a TOTP app with your account. 3. After successful pairing, you will be able to use the TOTP code for login. This behavior and the meaning of the error code 
4000011
are documented in the Ory Kratos documentation [You have no TOTP device set up. (4000011)](https://www.ory.sh/docs/kratos/concepts/ui-user-interface#you-have-no-totp-device-set-up-4000011). If you attempt to log in with the TOTP method before setting up a TOTP device, you will always receive this error.
s
@chilly-king-10285 how can i do "Go to the account settings and enable TOTP by pairing a TOTP app with your account." in kratos.yml or api?
b
A message from kapa.ai
To enable TOTP for a user in Ory Kratos, you cannot do it solely through the 
kratos.yml
configuration file. The configuration file enables or disables TOTP as a feature for your project, but each user must individually pair their account with a TOTP app (like Google Authenticator) through a self-service settings flow. How to enable TOTP for a user via API: 1. Enable TOTP in your Kratos configuration (if not already enabled):
Copy code
yaml selfservice:   methods:     totp:       config:         issuer: <http://ExampleIssuer.com|ExampleIssuer.com>       enabled: true
Update your configuration and restart Kratos if needed [Configure TOTP](https://www.ory.sh/docs/kratos/mfa/totp#enabling-totp-authentication). 2. Start a settings flow for the user (must be authenticated):
Copy code
http GET /self-service/settings/api
or for browser flows:
Copy code
http GET /self-service/settings/browser
3. Submit the TOTP pairing request using the flow ID and the CSRF token from the previous step. The user will need to scan the QR code with their TOTP app. The QR code is provided in the settings flow response (in base64 format) [Generate QR code and verify users provided code .NET Core](https://github.com/ory/kratos/discussions/4311). 4. Verify the TOTP code: Submit the TOTP code generated by the app to the settings flow endpoint:
Copy code
json {   "method": "totp",   "totp_code": "123456", // Replace with the code from the user's app   "csrf_token": "<csrf_token>" }
POST this to:
Copy code
/self-service/settings?flow=<flow_id>
or the equivalent API endpoint. If successful, the user's account will be paired with the TOTP device, and they can use TOTP for future logins [API Reference: updateSettingsFlow](https://www.ory.sh/docs/kratos/reference/api). Summary: - You enable TOTP globally in 
kratos.yml
, but each user must pair their device via the self-service settings flow and API. - The QR code for pairing is returned in the settings flow response. - There is no way to pair a TOTP device for a user directly in the config file; it must be done per user via the API or UI. If you need more details on the exact API payloads, see the [Ory Kratos API reference](https://www.ory.sh/docs/kratos/reference/api) and the [TOTP documentation](https://www.ory.sh/docs/kratos/mfa/totp).
s
@chilly-king-10285 I have used google authenticator to scan QR code and it generates code, but when i call api:
Copy code
curl --request POST \
  --url '<http://127.0.0.1:4455/kratos/self-service/login?flow=c5fc1988-d77c-41e1-b6f9-efaaa1af348c>' \
  --header 'content-type: application/json' \
  --header 'cookie: {{oryKratosSession}};{{loginFlowCookie}}' \
  --cookie '{{oryKratosSession}};{{loginFlowCookie}}' \
  --data '{
  "csrf_token": "{{loginFlowCsrf}}",
  "method": "totp",
  "totp_code": "708589" // Replace with the code from your app
}'
I get error
Copy code
{
  "id": "c5fc1988-d77c-41e1-b6f9-efaaa1af348c",
  "organization_id": null,
  "type": "browser",
  "expires_at": "2025-05-28T07:36:41.556373Z",
  "issued_at": "2025-05-27T07:36:41.556373Z",
  "request_url": "<http://127.0.0.1:4455/self-service/login/browser?aal=aal2>",
  "ui": {
    "action": "<http://kratos:4433/self-service/login?flow=c5fc1988-d77c-41e1-b6f9-efaaa1af348c>",
    "method": "POST",
    "nodes": [
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "csrf_token",
          "type": "hidden",
          "value": "6sY2gka1kZhQAkog4sTkmy2ZZMt2psOQXVBuF/5lh5id9XRq5YgPVDVd75cVfC/GFXEXdoV07I8I5YfdngzCCQ==",
          "required": true,
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {}
      }
    ],
    "messages": [
      {
        "id": 4000011,
        "text": "You have no TOTP device set up.",
        "type": "error"
      }
    ]
  },
  "created_at": "2025-05-27T07:36:41.561628Z",
  "updated_at": "2025-05-27T07:36:41.561628Z",
  "refresh": false,
  "requested_aal": "aal2",
  "state": "choose_method"
}
b
A message from kapa.ai
Based on your description and the error message:
Copy code
json {   "id": 4000011,   "text": "You have no TOTP device set up.",   "type": "error" }
This means that, according to Ory Kratos, your user account does not have a TOTP device registered, even though you scanned the QR code with Google Authenticator. This situation can occur if the TOTP pairing process was not fully completed or not properly saved for the user. Key points from the knowledge sources: - Before you can use TOTP for login, the user must pair their account with a TOTP app through the self-service settings flow. This involves not just scanning the QR code, but also submitting a valid TOTP code to confirm and activate the pairing. Only after this confirmation is the TOTP device considered set up for the user [You have no TOTP device set up. (4000011)](https://www.ory.sh/docs/kratos/concepts/ui-messages#you-have-no-totp-device-set-up-4000011). - The error you are seeing is the expected response if you try to use TOTP for login before the device is registered in the user's credentials [You have no TOTP device set up. (4000011)](https://www.ory.sh/docs/kratos/concepts/ui-user-interface#you-have-no-totp-device-set-up-4000011). What you should do: 1. Go through the TOTP setup flow in the account settings: - Log in with your primary method (e.g., password). - Go to the account settings page (or use the settings API flow). - Start the TOTP setup process, scan the QR code, and then submit a valid TOTP code from your authenticator app to confirm the pairing. - Only after this confirmation will the TOTP device be registered for your account. 2. Verify TOTP is set up: - You can check the user's credentials object to see if TOTP is present [Identity credentials](https://www.ory.sh/docs/kratos/mfa/totp#identity-credentials). 3. Now try logging in with TOTP: - After successful pairing, you should be able to use the TOTP code for login. If you skip the confirmation step (submitting the TOTP code during setup), the device will not be registered, and you will continue to see this error. If you have already done all these steps and still see the error, there may be an issue with the flow or a bug, as discussed in some GitHub issues, but the most common cause is not completing the TOTP pairing process fully [You have no TOTP device set up. (4000011)](https://www.ory.sh/docs/kratos/concepts/ui-messages#you-have-no-totp-device-set-up-4000011). Summary: You must complete the TOTP pairing process (including code confirmation) in the settings flow before you can use TOTP for login. The error means the device is not yet registered for your user.
s
@chilly-king-10285 please help me step by step, how can i do "the user must pair their account with a TOTP app through the self-service settings flow"
b
A message from kapa.ai
Certainly! Here’s a step-by-step guide, based strictly on the Ory Kratos documentation, for how a user can pair their account with a TOTP app (like Google Authenticator) using the self-service settings flow: --- ### 1. Enable TOTP in Your Kratos Configuration First, ensure TOTP is enabled in your Kratos configuration:
Copy code
yaml selfservice:   methods:     totp:       config:         issuer: <http://ExampleIssuer.com|ExampleIssuer.com>       enabled: true
Update your configuration and restart Kratos if needed [Enabling TOTP authentication](https://www.ory.sh/docs/kratos/mfa/totp#enabling-totp-authentication). --- ### 2. User Logs In with Primary Method The user must be logged in (e.g., with a password) to access the settings flow. --- ### 3. Initialize the Settings Flow - For browser-based flows, direct the user to:
Copy code
/self-service/settings/browser
- For API-based flows, call:
Copy code
GET /self-service/settings/api
(Include the session token in the request.) This initializes the settings flow and returns a flow ID and UI nodes, including the TOTP setup option [Initialize settings flow](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#initialize-settings-flow). --- ### 4. Start TOTP Pairing - The response will include a QR code (in base64 format) for TOTP pairing. - Present this QR code to the user in your UI. - The user scans the QR code with their TOTP app (e.g., Google Authenticator) [Generate QR code and verify users provided code .NET Core](https://github.com/ory/kratos/discussions/4311). --- ### 5. User Submits TOTP Code - The user enters the 6-digit code generated by their TOTP app. - Submit this code to the settings flow endpoint, along with the flow ID and CSRF token:
Copy code
json {   "method": "totp",   "totp_code": "123456", // Code from the user's app   "csrf_token": "<csrf_token>" }
POST this to:
Copy code
/self-service/settings?flow=<flow_id>
or the equivalent API endpoint [API Reference: updateSettingsFlow](https://www.ory.sh/docs/kratos/reference/api). --- ### 6. TOTP Is Now Paired - If the code is correct, the TOTP device is now registered for the user. - The user can now use TOTP as a second factor for login and step-up authentication [Identity credentials](https://www.ory.sh/docs/kratos/mfa/totp#identity-credentials). --- Summary: 1. Enable TOTP in config. 2. User logs in. 3. Start settings flow. 4. Show QR code, user scans it. 5. User submits TOTP code to confirm. 6. TOTP is now paired and ready for use. If you follow these steps and complete the confirmation, the user’s account will be paired with their TOTP app and ready for MFA flows.
s
@chilly-king-10285 please give me step by step to login with totp
b
A message from kapa.ai
Certainly! Here is a step-by-step guide to logging in with TOTP (Time-based One-Time Password) using Ory Kratos, based strictly on the provided documentation: --- ### 1. Start a Login Flow - For browser-based flows, navigate to:
Copy code
/self-service/login/browser
- For API-based flows, call:
Copy code
GET /self-service/login/api
This will return a login flow ID and CSRF token. --- ### 2. Submit Login Credentials - First, submit your primary credentials (e.g., password) to the login flow endpoint. - If your account is configured for TOTP, after successful password authentication, you will be prompted for your TOTP code. --- ### 3. Submit TOTP Code - Use the flow ID and CSRF token from the login flow. - Submit a POST request to the login endpoint with the following payload:
Copy code
json {   "csrf_token": "<csrf_token>",   "method": "totp",   "totp_code": "123456" // Replace with the code from your TOTP app }
- The endpoint will look like:
Copy code
/self-service/login?flow=<flow_id>
--- ### 4. Successful Login - If the TOTP code is correct, you will be logged in and your session will be upgraded to the appropriate AAL (Authenticator Assurance Level). --- Note: - You must have already paired your account with a TOTP app before you can log in using TOTP. If you have not set up TOTP, you will receive an error like "You have no TOTP device set up" [You have no TOTP device set up. (4000011)](https://www.ory.sh/docs/kratos/concepts/ui-user-interface#you-have-no-totp-device-set-up-4000011). - The TOTP login step is only available if TOTP is enabled in your Kratos configuration and the user has completed the pairing process [Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp). --- References: - [Ory Kratos TOTP Documentation](https://www.ory.sh/docs/kratos/mfa/totp) - [Ory Kratos API Reference: updateLoginFlow](https://www.ory.sh/docs/kratos/reference/api)
s
@chilly-king-10285 when i login with password, i get error
Copy code
{
  "error": {
    "id": "browser_location_change_required",
    "code": 422,
    "status": "Unprocessable Entity",
    "reason": "In order to complete this flow please redirect the browser to: <http://kratos:4433/self-service/login/browser?aal=aal2>",
    "message": "browser location change required"
  },
  "redirect_browser_to": "<http://kratos:4433/self-service/login/browser?aal=aal2>"
}
b
A message from kapa.ai
The error you are seeing:
Copy code
json {   "error": {     "id": "browser_location_change_required",     "code": 422,     "status": "Unprocessable Entity",     "reason": "In order to complete this flow please redirect the browser to: <http://kratos:4433/self-service/login/browser?aal=aal2>",     "message": "browser location change required"   },   "redirect_browser_to": "<http://kratos:4433/self-service/login/browser?aal=aal2>" }
means that Ory Kratos requires the browser to be redirected to a new login flow, specifically to complete an AAL2 (multi-factor authentication) step. This is a standard behavior for SPAs or API clients when a step-up in authentication is required. What to do: - When you receive this error with 
id: "browser_location_change_required"
and a 
redirect_browser_to
URL, you must redirect the user's browser to the provided URL to continue the authentication process. - This is necessary because certain flows (like step-up authentication to AAL2) require a new browser context and cannot be completed via API alone. This behavior is documented in the Ory Kratos documentation for SPAs and the 422 error, which states that a 422 response with this error means the browser needs to be redirected to a new flow, and the new flow ID can be extracted from the payload for further processing if needed [SPAs and the '422' error](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#spas-and-the-422-error). Summary: You must redirect the browser to the URL provided in 
redirect_browser_to
to continue and complete the login process with the required assurance level.
2 Views
Open in Slack
PreviousNext
Powered by