Hey guys. Currently Kratos logs the user in when they use a recovery link. Is this really the desired behavior? There's a few problems with this.

Hi, what kind of issues are you facing? Logging the user in is required, as they probably need to reset their password, after recovering access to their account, and the only way to do this is via the settings page. We know, that this is not optimal and plan on changing this in the future, but have not made concrete plans about that yet.

Firstly, as you wrote, redirecting the user to the settings page is not optimal, since we might not want them to have access to the rest of the app before resetting the password.

Yes, you’re absolutely right!

since we might not want them to have access to the rest of the app before resetting the password.

That is an interesting use case! Thanks for that. I think, in the future we will refactor the recovery to include a step to reset credentials directly inside the flow (instead of re-using the settings flow) which would completely circumvent these issues.

However this is more of a security issue when a user already has TOTP set up. Lets say they wish to reset their password - the recovery link logs them in without requiring a 2FA.

This can be configured:

selfservice:
  flows:
    settings:
      required_aal: highest_available

This way we require the second factor before redirecting to the settings page. Unfortunately, there is currently a bug in there, that prevent the correct redirect after the second factor is completed: https://github.com/ory/kratos/issues/2832 That should be fixed soon, though.

Yes, I'm aware of this bug and therefor I don't use this configuration.

Ah, I see. That makes sense, and I think we will change this soon, we just don’t have a timeline for this yet. Sorry about that.