kratos
kratos copied to clipboard
ory
`/sessions` endpoint returns sessions with complete identities even when configured AAL for whoami isn't reached
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [X] I have joined the Ory Community Slack.
- [X] I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
When required_aal for whoami is set as highest_available, Kratos will avoid leaking identity information without a valid AAL
https://github.com/ory/kratos/blob/0c5ea9bf735a67ef35011ba41d7f98afc6f8e118/selfservice/flow/login/hook.go#L230-L231 https://github.com/ory/kratos/blob/0c5ea9bf735a67ef35011ba41d7f98afc6f8e118/session/handler.go#L229-L236
Unfortunately, this check is only performed on /sessions/whoami, allowing other /sessions requests without a higher AAL - leaking the user's identity.
Reproducing the bug
- Setup Kratos with whoami
required_aalset tohighest_available, and an identity that supports AAL2 - Login with AAL1
- Using the AAL1 session, request
/sessions - Previous sessions will have an identity field
Relevant log output
No response
Relevant configuration
session:
whoami:
required_aal: highest_available
Version
master, but could be reproduced on 1.0.0
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response
This is by design, since /sessions is an admin API. Please reopen if you think I'm mistaken.
It is not an admin API, and I don't believe I could reopen this issue myself.
https://www.ory.sh/docs/kratos/reference/api#tag/frontend/operation/listMySessions