Hello, is there any reference to utilising the OAuth 2.0 flows with the AAL2 security level? We already have the custom UI app, and whenever I try using something like this

const formData = new FormData(formRef.current);

const data = Object.fromEntries(formData);

const body = {

...data,

aal: "aal2",

refresh: true,

} as unknown as UpdateLoginFlowBody;

try {

const { data } = await ory.updateLoginFlow({

flow: currentFlow.id,

updateLoginFlowBody: body,

});

const redirectAction = data.continue_with?.find(

(item) => item.action === "redirect_browser_to",

);

if (redirectAction?.redirect_browser_to) {

window.location.href = redirectAction.redirect_browser_to;

} else {

console.warn("No redirect URL found, falling back to /login/verify.");

window.location.href = "/login/verify";

}

I get redirected to the self-service login, and either login works fine with password flow, or fails if I try to enable the Require second factor for login switch

What do you mean by login fails? It would just ask for the second factor after you submit the fist one. There is not really anything related to oauth2 specifically here, but you could in the consent step show an error when the sessions aal is not AAL2

the main issue here is that we are skipping the consent step as Ory is our primary identity provider

skipping consent just means auto-submitting really, you can still auto-submit but only if the session is AAL2