When users log in with username and password and are redirected to

/self-service/login/browser?aal=aal2

, it means Ory Kratos is enforcing step-up authentication (AAL2), typically requiring a second factor like TOTP or code via email/SMS. Whether a user is prompted for TOTP, email, or not prompted at all depends on: 1. MFA Configuration: If you have enabled multiple MFA methods (TOTP, code via email/SMS), users will be prompted to use the second factor they have configured. If a user has not set up any second factor, they may not be able to proceed, or the flow may allow fallback to another method if configured. 2. User Enrollment: Each user must enroll in their preferred MFA method (e.g., pairing a TOTP app or registering an email/phone for code delivery). Ory does not automatically enroll users in TOTP; they must set it up in their account settings first. If a user has not set up TOTP but has code via email/SMS enabled, they will be prompted for that instead. If neither is set up, the flow may block them or allow access based on your enforcement settings. 3. Enforcement Model: The behavior is controlled by your configuration: -

required_aal: highest_available

(strict): Users with a second factor configured must use it; those without can proceed with just password (AAL1). - `required_aal: aal2`: All users must complete a second factor, regardless of whether they have one set up. In Ory Network, the default is strict (

highest_available

), so only users who have set up a second factor are required to use it. Others can log in with just their password. You can adjust this in the Ory Console or your config file under

selfservice.flows.settings.required_aal

and `session.whoami.required_aal`[Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication). Summary of what you can do: - If you want only users who have set up MFA to be prompted for AAL2, use

highest_available

. - If you want all users to be forced to use MFA, use

aal2

. - Make sure users have actually enrolled in their preferred MFA method (TOTP, email, SMS) in their account settings. - If you want to allow fallback to email/SMS code for those who haven't set up TOTP, enable those methods in your config. References: - [Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication) - [Configure multi-factor authentication](https://www.ory.sh/docs/kratos/self-hosted/mfa) - [TOTP setup and user enrollment](https://www.ory.sh/docs/kratos/mfa/totp) - [MFA via SMS and email](https://www.ory.sh/docs/kratos/mfa/mfa-via-sms) If you need more granular control (e.g., force TOTP for some users and email for others), you would need to manage user enrollment and possibly customize your flows/UI to guide users to set up the desired second factor.

To use Ory for OAuth2 with Trino, you need to use Ory Hydra (or Ory OAuth2 & OpenID Connect in Ory Network), as Ory Kratos itself is not an OAuth2 provider but an identity management system. Ory Hydra provides OAuth2 and OpenID Connect capabilities and can be integrated with Ory Kratos for user authentication. Steps to set up OAuth2 with Ory and Trino: 1. Set up Ory Hydra (or Ory OAuth2 & OpenID Connect): - Ory Hydra acts as the OAuth2 and OpenID Connect provider. You can run it self-hosted or use Ory Network, which provides this functionality out of the box. - Ory Hydra does not manage users directly; it delegates authentication to an identity provider like Ory Kratos. When a user logs in, Hydra will redirect to Kratos for authentication and then handle the OAuth2 flow ([Ory OAuth2 and OpenID Connect](https://www.ory.sh/docs/oauth2-oidc)). 2. Connect Ory Kratos to Ory Hydra: - Configure Ory Hydra to use Ory Kratos for login and consent flows. This way, when Trino initiates an OAuth2 flow, users will authenticate via Kratos ([Ory Hydra: A OAuth2 and OpenID Connect Provider written in Golang](https://www.ory.sh/blog/run-oauth2-server-open-source-api-security)). 3. Register Trino as an OAuth2 Client: - In Ory Hydra (or Ory Network), create an OAuth2 client for Trino. You will need to specify redirect URIs and allowed grant types ([Try common OAuth2 Grants](https://www.ory.sh/docs/getting-started/ory-network-oauth2)). 4. Configure Trino to use Ory as OAuth2 Provider: - In Trino, set the OAuth2 provider endpoints (authorization, token, userinfo) to point to your Ory Hydra or Ory Network project. - Use the client ID and secret you registered for Trino. Key Points: - Ory Kratos manages user identities and authentication. - Ory Hydra (or Ory OAuth2 & OpenID Connect in Ory Network) provides OAuth2 and OIDC endpoints. - Trino acts as an OAuth2 client, using Ory as the provider. References: - [Introduction to Ory Hydra OAuth2](https://www.ory.sh/docs/oauth2-oidc) - [Run your own OAuth2 Server](https://www.ory.sh/blog/run-oauth2-server-open-source-api-security) - [Try common OAuth2 Grants](https://www.ory.sh/docs/getting-started/ory-network-oauth2) If you need a step-by-step guide for integrating with a specific client like Trino, you will need to consult Trino's documentation for OAuth2 client configuration and use the endpoints and credentials from your Ory OAuth2 setup. The knowledge sources do not provide a Trino-specific example, but the general OAuth2 integration steps above apply.

To trigger sending a code via email for account recovery in Ory Kratos, you need to initiate the recovery flow using the API. Here’s how you can do it: 1. Start the recovery flow: Send a POST request to the

/self-service/recovery

endpoint with the user's email and specify the method as

code

. For browser flows, include the CSRF token and cookies as required. Example cURL command for a browser flow:

bash    curl -X POST -H 'Content-Type: application/json' \      -H 'Accept: application/json' \      -d '{"method":"code","email":"<mailto:email@example.com|email@example.com>","csrf_token":"your-csrf-token"}' \      -b cookies.txt \      "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/recovery?flow=<your-flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/recovery?flow=<your-flow-id>>"

This will send a recovery code to the specified email address if it is registered. The user will then receive an email with the code to continue the recovery process. If you want to trigger this in a native (non-browser) flow, you can omit the CSRF token and cookies as appropriate for your setup [Submit recovery flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#submit-recovery-flow). 2. Configuration: Make sure your recovery method is set to

code

in your Ory Kratos configuration. This ensures that a one-time code is sent via email for account recovery [Account recovery](https://www.ory.sh/docs/identities/get-started/account-recovery). 3. API Request Body: The request body should include: - `method`: set to

"code"

- `email`: the user's email address - `csrf_token`: required for browser flows For more details on the request body, see the [API reference](https://www.ory.sh/docs/kratos/reference/api). Note: If you include the

email

field again after a code has already been sent, it will invalidate the previous code and send a new one [API reference](https://www.ory.sh/docs/kratos/reference/api). --- Summary: To trigger sending a code via email for account recovery, POST to

/self-service/recovery

with

{"method":"code","email":"<mailto:user@example.com|user@example.com>"}

and handle the flow as described above.

To trigger sending a code via email to verify an account in Ory Kratos, you need to initiate the verification flow and submit the user's email address with the method set to code. Here’s how you can do it: 1. Start the verification flow Create a verification flow (browser or native) to obtain a flow ID. 2. Submit the verification flow Send a POST request to the

/self-service/verification

endpoint with the following JSON body:

json    {      "method": "code",      "email": "<mailto:user@example.com|user@example.com>",      "csrf_token": "your-csrf-token" // required for browser flows    }

Example cURL for a browser flow:

bash    curl -X POST \      -H 'Content-Type: application/json' \      -H 'Accept: application/json' \      -b cookies.txt \      -d '{"method":"code","email":"<mailto:user@example.com|user@example.com>","csrf_token":"your-csrf-token"}' \      "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/verification?flow=<your-flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/verification?flow=<your-flow-id>>"

This will send a verification code to the specified email address if it is registered and verifiable. The user will then receive an email with the code to complete the verification process [Submit verification flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#submit-verification-flow). Note: - The

method

must be set to

"code"

to trigger sending a code via email. - For browser flows, you must include the CSRF token and cookies. - If you submit the email again after a code has already been sent, it will invalidate the previous code and send a new one [API reference](https://www.ory.sh/docs/kratos/reference/api). For more details, see the [Ory Kratos documentation on verification flows](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#submit-verification-flow).