Your issue is related to Ory Kratos' multi-factor authentication (MFA) and Authenticator Assurance Level (AAL) handling. Here’s what’s happening and how to resolve it: ### What’s Happening 1. First API Call (Password Login): - You POST to the login flow with password credentials. - The response is:

"error": {        "id": "browser_location_change_required",        ...        "reason": "In order to complete this flow please redirect the browser to: <http://kratos:4433/self-service/login/browser?aal=aal2>"      }

- This means Kratos requires the user to complete a step-up authentication (AAL2, e.g., 2FA) and expects the browser to be redirected to the provided URL to continue the flow. This is typical when your settings or login flow requires a higher AAL (like

aal2

) and the current session is only

aal1

(password only) [see docs](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#two-factor-authentication). 2. Second API Call (AAL2 Login): - You try to GET the login flow for AAL2 with

refresh=true

and the session cookie. - The response is:

"error": {        "id": "session_aal1_required",        ...        "reason": "You can not requested a higher AAL (AAL2/AAL3) without an active session."      }

- This error means Kratos does not see a valid session, or the session is not at the required AAL. AAL2 can only be requested if a session already exists [see docs](https://www.ory.sh/docs/kratos/mfa/step-up-authentication). ### Why This Happens - The step-up authentication flow (AAL2) requires an active session (AAL1) to exist. If the session cookie is missing, expired, or not properly sent, Kratos cannot proceed. - The error

browser_location_change_required

is a signal for browser-based flows: the user must be redirected (not just an API call) so that cookies and CSRF tokens are handled correctly [see docs](https://www.ory.sh/docs/kratos/reference/api). ### How to Solve 1. Ensure a Valid Session Exists: - Before requesting AAL2, the user must be logged in and have an active session (AAL1). - Make sure you are sending the correct session cookie (

ory_kratos_session

) with your requests. 2. Follow the Redirect in a Browser Context: - The

browser_location_change_required

error means you should redirect the user's browser to the provided URL (

/self-service/login/browser?aal=aal2

). This is not meant to be handled by a backend API call, but by a browser redirect so cookies and CSRF tokens are managed automatically. - If you are building a custom UI, after receiving this error, redirect the user’s browser to the

redirect_browser_to

URL. 3. Do Not Use API Endpoints for Browser Flows: - For browser-based applications, always use the

/self-service/login/browser

endpoints, not the

/api

endpoints, to avoid CSRF and session issues [see docs](https://www.ory.sh/docs/reference/api). 4. Check Your Cookies: - If you are using cURL or a non-browser client, ensure you are passing all required cookies (session and CSRF) exactly as the browser would. Missing or malformed cookies will cause session errors. ### Example Flow 1. User logs in with password (AAL1). 2. Kratos responds with

browser_location_change_required

and a redirect URL for AAL2. 3. Redirect the browser (not just an API call) to the given URL. 4. User completes the second factor (e.g., TOTP, WebAuthn). 5. Session is now AAL2. Summary: You must redirect the browser to the provided URL for AAL2 authentication, ensuring the session cookie is present. Do not attempt to complete this flow with backend API calls alone—browser context is required for proper session and CSRF handling. For more details, see the official documentation on [step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication) and [browser flows](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#two-factor-authentication). If you continue to get the

session_aal1_required

error, double-check that your session cookie is valid and not expired, and that you are not mixing up API and browser flows.

To make the

/sessions/whoami

(or

toSession

) endpoint require AAL2 (multi-factor authentication), you need to configure your Ory Kratos or Ory Network project to enforce this requirement. ### How to Require AAL2 for

/sessions/whoami

Ory Network / Kratos Configuration: Set the following in your configuration:

yaml session:   whoami:     required_aal: aal2

- This setting ensures that when you call

/sessions/whoami

, the session must have completed AAL2 (e.g., password + TOTP or WebAuthn). If the session is only AAL1, the endpoint will return a 403 error and prompt the user to complete the second factor. How it works: - If the session is not AAL2, the response will include an error with

id: session_aal2_required

and a redirect URL to complete the second factor authentication flow. - This is the recommended way to enforce AAL2 for session checks in Ory Kratos and Ory Network. Reference: You can find this configuration and behavior described in the official documentation: > To change the multi-factor authentication enforcement to Lax and allow users to sign in or access user settings without authenticating with the second factor, go to Authentication → Two-factor auth in the Ory Console and use the switches in the General Settings section. > > Adjust the values of the indicated keys to the desired values: > >

yaml > session: >   whoami: >     required_aal: aal2 >

> > Use

aal1

for the Lax model and

highest_available

for the Strict model. The default value in Ory Network is

highest_available

[Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication) Summary: Set

session.whoami.required_aal: aal2

in your configuration to require AAL2 for

/sessions/whoami

checks. If the session does not meet this level, the user will be prompted to complete the second factor.

To require users to log in with their password first and then immediately complete TOTP (Time-based One-Time Password) as a second step, you need to enable multi-factor authentication (MFA) with TOTP in your Ory Kratos or Ory Network configuration. Steps: 1. Enable TOTP in your configuration: In your Ory Identities (Kratos) configuration, set the TOTP method to enabled and specify the issuer:

yaml    selfservice:      methods:        totp:          config:            issuer: <http://ExampleIssuer.com|ExampleIssuer.com>          enabled: true

You can do this via the Ory Console under Authentication → Two-factor auth or by editing your configuration file and updating your project using the CLI. After enabling, each user must pair their account with a TOTP app (like Google Authenticator) in their account settings. Users are not automatically prompted to enable TOTP; they must do this themselves in the account settings UI [Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp). 2. Enforce MFA after password login: To ensure that after a successful password login, the user is required to complete TOTP, set the authentication assurance level (AAL) enforcement to require the highest available factor for login and/or session:

yaml    selfservice:      flows:        login:          required_aal: highest_available    session:      whoami:        required_aal: highest_available

With this configuration, if a user has TOTP enabled, after logging in with their password, they will be prompted to complete the TOTP step before the login flow is completed and a session is issued [Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication). Summary: - Enable TOTP as a method. - Set

required_aal: highest_available

for the login flow. - Users with TOTP enabled will be required to complete TOTP after password login. If you need users to be automatically prompted to set up TOTP after password login (if they haven't already), the knowledge sources do not provide explicit instructions for this scenario. Users must manually enable TOTP in their account settings. For more details, see the official documentation on [TOTP setup](https://www.ory.sh/docs/kratos/mfa/totp) and [step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication).

The error message you are seeing:

selfservice.flows.login: map[lifespan:24h required_aal:highest_available ui_url:<https://www.ory.sh/kratos/docs/fallback/login>] ^-- additionalProperties "required_aal" not allowed

indicates that the

required_aal

property is not valid under

selfservice.flows.login

in your Ory Kratos configuration. According to the knowledge sources, the

required_aal

property is documented for use under

selfservice.flows.settings

and under

session.whoami

, but not under

selfservice.flows.login

 [Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication), [Configure multi-factor authentication in Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mfa). What you should do: - Remove

required_aal

from

selfservice.flows.login

in your configuration. - If you want to enforce multi-factor authentication after login, set

required_aal

under

session.whoami

or

selfservice.flows.settings

as shown below:

yaml selfservice:   flows:     settings:       required_aal: highest_available session:   whoami:     required_aal: highest_available

This will ensure that after login, users will be required to complete the second factor if they have it enabled, and your configuration will be valid. Summary:

required_aal

is not a valid property for

selfservice.flows.login

. Use it under

selfservice.flows.settings

or

session.whoami

instead [Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication), [Configure multi-factor authentication in Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mfa).

A message from kapa.ai

The issue you are experiencing is due to how Ory Kratos handles step-up authentication (AAL2, such as TOTP) and the requirements for session state during the login flow. ### What’s Happening 1. Password Login Attempt: When you POST to the login flow with password credentials, Kratos responds with:

"browser_location_change_required"

and provides a

redirect_browser_to

URL for AAL2. This means Kratos expects the user to complete a second authentication step (TOTP or other MFA) and requires the browser to be redirected to the given URL. This is standard for step-up authentication flows when a higher AAL is required after password login [see docs](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#two-factor-authentication). 2. Direct API Call to AAL2 Flow: When you try to call the AAL2 login flow endpoint directly with a session cookie, you get:

"session_aal1_required"

This error means Kratos does not see a valid session at the required AAL, or the session is missing/invalid. AAL2 can only be requested if a valid session (AAL1) exists and is recognized by Kratos [see docs](https://www.ory.sh/docs/kratos/mfa/step-up-authentication). ### How to Solve - Redirect the Browser: The

browser_location_change_required

error is a signal that you must redirect the user's browser to the provided URL. This is not meant to be handled by a backend API call, but by a browser redirect so that cookies and CSRF tokens are managed automatically. Kratos expects the browser to handle this step, not a direct API call. - Ensure Session Cookie is Present: The AAL2 flow requires an active session (AAL1). If you are not using a browser, you must ensure that the session cookie is present and valid in your requests. If the session is missing or expired, Kratos will not allow you to proceed to AAL2. - Do Not Mix API and Browser Flows: For browser-based applications, always use the

/self-service/login/browser

endpoints and follow redirects as instructed by Kratos. Do not attempt to complete the flow with backend API calls alone, as this will not handle cookies and CSRF tokens correctly. ### Summary - After receiving the

browser_location_change_required

error, redirect the user's browser to the

redirect_browser_to

URL. - Make sure the session cookie is valid and present. - Do not attempt to complete the AAL2 step with backend API calls; use browser redirects as intended by Kratos. This flow is by design and ensures secure handling of multi-factor authentication in browser environments [see docs](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#two-factor-authentication). If you continue to get the

session_aal1_required

error, double-check that your session cookie is valid and not expired, and that you are not mixing up API and browser flows.