Based on the provided knowledge sources, Ory Kratos allows you to request a specific Authenticator Assurance Level (AAL), such as

aal2

, by passing the

aal

query parameter when initializing a login flow (e.g.,

/self-service/login/browser?aal=aal2

). This is commonly used for step-up authentication or to enforce multi-factor authentication for sensitive operations or flows initiated by Ory Hydra as part of an OAuth2/OIDC login flow. The

login_challenge

parameter is also passed from Hydra to Kratos in these flows, allowing Kratos to know which Hydra client initiated the request and potentially adjust its behavior accordingly [createBrowserLoginFlow - Kratos API](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json). However, the knowledge sources do not describe a built-in mechanism in Kratos to dynamically require

aal2

only for certain Hydra clients based on the

login_challenge

before the login challenge is accepted. The configuration and API references show that you can set global or flow-based AAL requirements, but they do not mention conditional logic based on the Hydra client or the login challenge value itself. To implement such conditional logic, you would likely need to add custom logic in your login UI or backend that: 1. Receives the

login_challenge

from Hydra. 2. Uses Hydra's Admin API to fetch details about the login request (including the client ID) using the

login_challenge

 [getOAuth2LoginRequest - Hydra API](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json). 3. Decides whether to initiate the Kratos login flow with

aal2

based on the client ID or other request details. This approach is not described as a built-in feature in the documentation, but it is technically feasible by orchestrating the flow in your application code. Summary: There is no out-of-the-box feature in Kratos to require

aal2

only for certain Hydra clients based on the

login_challenge

before accepting the login challenge. You would need to implement this logic in your integration layer by inspecting the login challenge and then initializing the Kratos login flow with the appropriate AAL as needed [createBrowserLoginFlow - Kratos API](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json) [getOAuth2LoginRequest - Hydra API](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json). If you need more granular, per-client AAL enforcement, this must be handled outside of Kratos' built-in configuration.