Merge branch 'master' into jonas-jonas/transientPayloads

CHANGELOG.md

@@ -5,7 +5,7 @@
 
 **Table of Contents**
 
-- [ (2024-02-12)](#2024-02-12)
+- [ (2024-02-16)](#2024-02-16)
   - [Bug Fixes](#bug-fixes)
   - [Features](#features)
   - [Tests](#tests)
@@ -320,12 +320,15 @@
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
-# [](https://github.com/ory/kratos/compare/v1.1.0-pre.0...v) (2024-02-12)
+# [](https://github.com/ory/kratos/compare/v1.1.0-pre.0...v) (2024-02-16)
 
 ### Bug Fixes
 
 - Add consistency flag ([#3733](https://github.com/ory/kratos/issues/3733))
   ([fd79950](https://github.com/ory/kratos/commit/fd7995077307cc101550eda5d7724ea1f68fa98a))
+- Don't require code credential for MFA flows
+  ([#3753](https://github.com/ory/kratos/issues/3753))
+  ([40ed809](https://github.com/ory/kratos/commit/40ed809db631149874864f216a106c43ea5df670))
 - Http courier using should use lower case json
   ([#3740](https://github.com/ory/kratos/issues/3740))
   ([84149c4](https://github.com/ory/kratos/commit/84149c4b420ea89f0a16a579c017a8e7e1670204))

internal/testhelpers/config.go

@@ -24,11 +24,17 @@ func UseConfigFile(t *testing.T, path string) *pflag.FlagSet {
 	return flags
 }
 
-func SetDefaultIdentitySchema(conf *config.Config, url string) {
+func SetDefaultIdentitySchema(conf *config.Config, url string) func() {
+	schemaUrl, _ := conf.DefaultIdentityTraitsSchemaURL(context.Background())
 	conf.MustSet(context.Background(), config.ViperKeyDefaultIdentitySchemaID, "default")
 	conf.MustSet(context.Background(), config.ViperKeyIdentitySchemas, config.Schemas{
 		{ID: "default", URL: url},
 	})
+	return func() {
+		conf.MustSet(context.Background(), config.ViperKeyIdentitySchemas, config.Schemas{
+			{ID: "default", URL: schemaUrl.String()},
+		})
+	}
 }
 
 // UseIdentitySchema registeres an identity schema in the config with a random ID and returns the ID

selfservice/strategy/code/strategy_login.go

@@ -301,10 +301,21 @@ func (s *Strategy) loginVerifyCode(ctx context.Context, r *http.Request, f *logi
 
 	p.Identifier = maybeNormalizeEmail(p.Identifier)
 
-	// Step 1: Get the identity
-	i, isFallback, err := s.findIdentityByIdentifier(ctx, p.Identifier)
-	if err != nil {
-		return nil, err
+	isFallback := false
+	var i *identity.Identity
+	if f.RequestedAAL > identity.AuthenticatorAssuranceLevel1 {
+		// Don't require the code credential if the user already has a session (e.g. this is an MFA flow)
+		sess, err := s.deps.SessionManager().FetchFromRequest(ctx, r)
+		if err != nil {
+			return nil, err
+		}
+		i = sess.Identity
+	} else {
+		// Step 1: Get the identity
+		i, isFallback, err = s.findIdentityByIdentifier(ctx, p.Identifier)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	loginCode, err := s.deps.LoginCodePersister().UseLoginCode(ctx, f.ID, i.ID, p.Code)

selfservice/strategy/code/strategy_login_test.go

@@ -586,7 +586,8 @@ func TestLoginCodeStrategy(t *testing.T) {
 				})
 
 				t.Run("case=should be able to get AAL2 session", func(t *testing.T) {
-					identity := createIdentity(ctx, t, false)
+					t.Cleanup(testhelpers.SetDefaultIdentitySchema(conf, "file://./stub/default.schema.json")) // doesn't have the code credential
+					identity := createIdentity(ctx, t, true)
 					var cl *http.Client
 					var f *oryClient.LoginFlow
 					if tc.apiType == ApiTypeNative {