Ory Kratos may require password confirmation (re-authentication) for certain actions, even in OIDC app flows with Hydra, due to its security model around "privileged actions." For example, when a user tries to update sensitive information (like their password, email, or linked OIDC accounts), Kratos checks if the session is "privileged"—meaning the user has recently authenticated. If not, Kratos prompts for password confirmation to ensure the user is really present and authorized to perform the action. This is similar to "sudo mode" on platforms like GitHub and is controlled by the

privileged_session_max_age

setting in your configuration. If the session is older than this value, re-authentication is required, regardless of the authentication method used to log in (password, OIDC, etc.) [Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings). Disabling password confirmation: If you want to avoid password confirmation prompts, you can set a high value for

privileged_session_max_age

in your Kratos config under the relevant flow (e.g., settings). For example:

yaml selfservice:   flows:     settings:       privileged_session_max_age: 8760h # 1 year

Setting this to a very high value effectively disables frequent password confirmations. However, you cannot fully disable this security check without compromising security for privileged actions. Disabling password method entirely: If you set

password.enabled: false

in your config, users will not be able to use password-based authentication at all. This is only recommended if you exclusively use OIDC or other non-password methods for all users [Login and registration using passwords](https://www.ory.sh/docs/kratos/concepts/credentials/username-email-password). Summary: - Kratos asks for password confirmation for privileged actions to protect user accounts. - You can reduce or avoid these prompts by increasing

privileged_session_max_age

. - If you disable the password method, password prompts will not appear, but users cannot use passwords to log in or register. If you need more granular control or want to change this behavior for OIDC-only users, the knowledge sources do not provide a way to fully disable privileged session checks for OIDC flows only. This is a core part of Kratos' security model.

If you set

privileged_session_max_age: 0

in your Kratos configuration, it means that the session is never considered privileged after authentication. As a result, any action that requires a privileged session (such as updating sensitive settings or performing certain flows) will always require the user to re-authenticate, regardless of how recently they logged in. This effectively forces password (or other second-factor) confirmation every time a privileged action is attempted [Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings) [Privileged sessions](https://www.ory.sh/docs/kratos/session-management/session-lifespan#privileged-sessions). This is the strictest security setting and is generally not recommended unless you have a specific use case that requires constant re-authentication for sensitive actions.

Based on the knowledge sources, the CORS (Cross-Origin Resource Sharing) configuration you provided under the

public

section is unrelated to the privileged session behavior or the requirement for password confirmation in Ory Kratos. The CORS settings control which origins, methods, and headers are allowed for cross-origin requests to the public API endpoints, but they do not affect session privilege checks or authentication flows [Cross-origin resource sharing (CORS) settings](https://www.ory.sh/docs/kratos/guides/setting-up-cors). The privileged session logic—such as how often a user is required to re-authenticate for sensitive actions—is handled by the

privileged_session_max_age

setting, not by CORS or request logging configuration [Privileged sessions](https://www.ory.sh/docs/kratos/session-management/session-lifespan#privileged-sessions). In summary: No, the CORS configuration you posted does not handle or influence the privileged session or password confirmation requirements in Ory Kratos.

The knowledge sources do not explicitly state the default value of

privileged_session_max_age

in Ory Kratos. The documentation provides examples of how to set this value (e.g.,

15m

for 15 minutes), but does not mention what the default is if you do not specify it in your configuration [Privileged sessions](https://www.ory.sh/docs/kratos/session-management/session-lifespan#privileged-sessions). If you need to know the exact default, you may need to check the official Ory Kratos source code or configuration reference, as the provided knowledge sources do not contain this information.