https://www.ory.sh/ logo
#talk-kratos
Title
# talk-kratos
i

important-fall-74969

02/24/2022, 10:50 AM
Hi, we’re trying to configure the TOTP and Lookup Secrets for the self service flows. We’re wondering if users should be able to set up the two 2FA methods in parallel? We’ve added both to our kratos config and we’re able to set the 2FA using totp when logged in using
submitSelfServiceSettingsFlow
and passing in a
SubmitSelfServiceSettingsFlowWithTotpMethodBody
flow body. This works great and we’re able to use it to log in. We also want to add recovery codes (lookup secrets) parallel to the totp 2FA. So that if a user has lost access to their totp device they can use their codes. When a user adds 2FA (totp) to their account we want to generate the codes automatically and add them as a backup to that account. We’re able to generate the recovery codes and confirm them by calling
submitSelfServiceSettingsFlow
and passing in a
SubmitSelfServiceSettingsFlowWithLookupMethodBody
but after that they seem to be set as the only option for 2FA? When we next try to login the only option for 2FA is to use the recovery codes. We’re only getting the
lookup_secrets
node back in the flow ui and no
totp
nodes? Here is the kratos config:
Copy code
selfservice:
  default_browser_return_url: <http://127.0.0.1:8084/>
  whitelisted_return_urls:
    - <http://127.0.0.1:8084>

  methods:
    profile:
      enabled: true
    password:
      enabled: true
    link:
      enabled: true
      config:
        lifespan: 15m
    oidc:
      enabled: true
      config:
        providers:
          - id: github
 DO NOT CHANGE IT ONCE SET!
            provider: github
            client_id: [REDACTED]
            client_secret: [REDACTED]
            mapper_url: file:///etc/config/kratos/oidc.github.jsonnet
            scope:
              - user:email
          - id: google
DO NOT CHANGE IT ONCE SET!
            provider: google
            client_id: [REDACTED
            client_secret: [REDACTED]
            mapper_url: file:///etc/config/kratos/oidc.google.jsonnet
            scope:
              - email
              - profile
            requested_claims:
              id_token:
                email:
                  essential: true
                email_verified:
                  essential: true
                given_name:
                  essential: true
                family_name: null
                hd: null # If you want the G Suite domain
    totp:
      enabled: true
      config:
        issuer: <http://Comnoco.io|Comnoco.io>
    lookup_secret:
      enabled: true
d

damp-salesclerk-26574

02/25/2022, 9:14 AM
Is anyone able to help us understand or solve this please? 🙏 We’re a little confused!
Ah, we’d done something wrong, it does work! 🙇‍♂️
5 Views