Two step login rebased

.github/workflows/ci.yaml

@@ -289,6 +289,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           repository: ory/kratos-selfservice-ui-node
+          ref: jonas-jonas/two-step
           path: node-ui
       - run: |
           cd node-ui

.gitignore

@@ -65,3 +65,4 @@ test/e2e/kratos.*.yml
 # VSCode debug artifact
 __debug_bin
 .debug.sqlite.db
+.last-run.json

.schema/openapi/patches/schema.yaml

@@ -43,6 +43,7 @@
       set_ory_session_token: "#/components/schemas/continueWithSetOrySessionToken"
       show_settings_ui: "#/components/schemas/continueWithSettingsUi"
       show_recovery_ui: "#/components/schemas/continueWithRecoveryUi"
+      redirect_browser_to: "#/components/schemas/continueWithRedirectBrowserTo"
 
 - op: add
   path: /components/schemas/continueWith/oneOf
@@ -51,3 +52,4 @@
     - "$ref": "#/components/schemas/continueWithSetOrySessionToken"
     - "$ref": "#/components/schemas/continueWithSettingsUi"
     - "$ref": "#/components/schemas/continueWithRecoveryUi"
+    - "$ref": "#/components/schemas/continueWithRedirectBrowserTo"

.schema/openapi/patches/selfservice.yaml

@@ -19,6 +19,7 @@
     - "$ref": "#/components/schemas/updateRegistrationFlowWithWebAuthnMethod"
     - "$ref": "#/components/schemas/updateRegistrationFlowWithCodeMethod"
     - "$ref": "#/components/schemas/updateRegistrationFlowWithPasskeyMethod"
+    - "$ref": "#/components/schemas/updateRegistrationFlowWithProfileMethod"
 - op: add
   path: /components/schemas/updateRegistrationFlowBody/discriminator
   value:
@@ -28,7 +29,8 @@
       oidc: "#/components/schemas/updateRegistrationFlowWithOidcMethod"
       webauthn: "#/components/schemas/updateRegistrationFlowWithWebAuthnMethod"
       code: "#/components/schemas/updateRegistrationFlowWithCodeMethod"
-      passKey: "#/components/schemas/updateRegistrationFlowWithPasskeyMethod"
+      passkey: "#/components/schemas/updateRegistrationFlowWithPasskeyMethod"
+      profile: "#/components/schemas/updateRegistrationFlowWithProfileMethod"
 - op: add
   path: /components/schemas/registrationFlowState/enum
   value:
@@ -50,6 +52,7 @@
     - "$ref": "#/components/schemas/updateLoginFlowWithLookupSecretMethod"
     - "$ref": "#/components/schemas/updateLoginFlowWithCodeMethod"
     - "$ref": "#/components/schemas/updateLoginFlowWithPasskeyMethod"
+    - "$ref": "#/components/schemas/updateLoginFlowWithIdentifierFirstMethod"
 - op: add
   path: /components/schemas/updateLoginFlowBody/discriminator
   value:
@@ -62,6 +65,7 @@
       lookup_secret: "#/components/schemas/updateLoginFlowWithLookupSecretMethod"
       code: "#/components/schemas/updateLoginFlowWithCodeMethod"
       passkey: "#/components/schemas/updateLoginFlowWithPasskeyMethod"
+      identifier_first: "#/components/schemas/updateLoginFlowWithIdentifierFirstMethod"
 - op: add
   path: /components/schemas/loginFlowState/enum
   value:

Makefile

@@ -193,8 +193,8 @@ migrations-sync: .bin/ory
 	ory dev pop migration sync persistence/sql/migrations/templates persistence/sql/migratest/testdata
 	script/add-down-migrations.sh
 
-.PHONY: test-update-snapshots
-test-update-snapshots:
+.PHONY: test-refresh
+test-refresh:
 	UPDATE_SNAPSHOTS=true go test -tags sqlite,json1,refresh -short ./...
 
 .PHONY: post-release

cmd/clidoc/main.go

@@ -177,6 +177,8 @@ func init() {
 		"NewErrorValidationAddressUnknown":                        text.NewErrorValidationAddressUnknown(),
 		"NewInfoSelfServiceLoginCodeMFA":                          text.NewInfoSelfServiceLoginCodeMFA(),
 		"NewInfoSelfServiceLoginCodeMFAHint":                      text.NewInfoSelfServiceLoginCodeMFAHint("{maskedIdentifier}"),
+		"NewInfoLoginPassword":                                    text.NewInfoLoginPassword(),
+		"NewErrorValidationAccountNotFound":                       text.NewErrorValidationAccountNotFound(),
 	}
 }
 

courier/sms_test.go

@@ -63,6 +63,7 @@ func TestQueueSMS(t *testing.T) {
 			Body: body.Body,
 		})
 	}))
+	t.Cleanup(srv.Close)
 
 	requestConfig := fmt.Sprintf(`{
 		"url": "%s",
@@ -112,8 +113,6 @@ func TestQueueSMS(t *testing.T) {
 		assert.Equal(t, expected.To, message.To)
 		assert.Equal(t, fmt.Sprintf("stub sms body %s\n", expected.Body), message.Body)
 	}
-
-	srv.Close()
 }
 
 func TestDisallowedInternalNetwork(t *testing.T) {

driver/config/config.go

@@ -134,6 +134,8 @@ const (
 	ViperKeySelfServiceRegistrationAfter                     = "selfservice.flows.registration.after"
 	ViperKeySelfServiceRegistrationBeforeHooks               = "selfservice.flows.registration.before.hooks"
 	ViperKeySelfServiceLoginUI                               = "selfservice.flows.login.ui_url"
+	ViperKeySelfServiceLoginFlowStyle                        = "selfservice.flows.login.style"
+	ViperKeySecurityAccountEnumerationMitigate               = "security.account_enumeration.mitigate"
 	ViperKeySelfServiceLoginRequestLifespan                  = "selfservice.flows.login.lifespan"
 	ViperKeySelfServiceLoginAfter                            = "selfservice.flows.login.after"
 	ViperKeySelfServiceLoginBeforeHooks                      = "selfservice.flows.login.before.hooks"
@@ -774,14 +776,16 @@ func (p *Config) SelfServiceStrategy(ctx context.Context, strategy string) *Self
 	var err error
 	config, err = json.Marshal(pp.GetF(basePath+".config", config))
 	if err != nil {
-		p.l.WithError(err).Warn("Unable to marshal self service strategy configuration.")
+		p.l.WithError(err).Warn("Unable to marshal self-service strategy configuration.")
 		config = json.RawMessage("{}")
 	}
 
 	// The default value can easily be overwritten by setting e.g. `{"selfservice": "null"}` which means that
 	// we need to forcibly set these values here:
 	defaultEnabled := false
 	switch strategy {
+	case "identifier_first":
+		defaultEnabled = p.SelfServiceLoginFlowIdentifierFirstEnabled(ctx)
 	case "code", "password", "profile":
 		defaultEnabled = true
 	}
@@ -1612,3 +1616,16 @@ func (p *Config) PasswordMigrationHook(ctx context.Context) (hook *PasswordMigra
 
 	return hook
 }
+
+func (p *Config) SelfServiceLoginFlowIdentifierFirstEnabled(ctx context.Context) bool {
+	switch p.GetProvider(ctx).String(ViperKeySelfServiceLoginFlowStyle) {
+	case "identifier_first":
+		return true
+	default:
+		return false
+	}
+}
+
+func (p *Config) SecurityAccountEnumerationMitigate(ctx context.Context) bool {
+	return p.GetProvider(ctx).Bool(ViperKeySecurityAccountEnumerationMitigate)
+}

driver/registry_default.go

@@ -12,6 +12,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/ory/kratos/selfservice/strategy/idfirst"
+
 	"github.com/cenkalti/backoff"
 	"github.com/dgraph-io/ristretto"
 	"github.com/gobuffalo/pop/v6"
@@ -324,6 +326,7 @@ func (m *RegistryDefault) selfServiceStrategies() []any {
 				passkey.NewStrategy(m),
 				webauthn.NewStrategy(m),
 				lookup.NewStrategy(m),
+				idfirst.NewStrategy(m),
 			}
 		}
 	}
@@ -379,6 +382,7 @@ nextStrategy:
 					continue nextStrategy
 				}
 			}
+
 			if m.strategyLoginEnabled(ctx, s.ID().String()) {
 				loginStrategies = append(loginStrategies, s)
 			}

driver/registry_default_test.go

@@ -872,7 +872,7 @@ func TestDefaultRegistry_AllStrategies(t *testing.T) {
 	_, reg := internal.NewVeryFastRegistryWithoutDB(t)
 
 	t.Run("case=all login strategies", func(t *testing.T) {
-		expects := []string{"password", "oidc", "code", "totp", "passkey", "webauthn", "lookup_secret"}
+		expects := []string{"password", "oidc", "code", "totp", "passkey", "webauthn", "lookup_secret", "identifier_first"}
 		s := reg.AllLoginStrategies()
 		require.Len(t, s, len(expects))
 		for k, e := range expects {

embedx/config.schema.json

@@ -1557,12 +1557,6 @@
                   "title": "Enables login flows code method to fulfil MFA requests",
                   "default": false
                 },
-                "passwordless_login_fallback_enabled": {
-                  "type": "boolean",
-                  "title": "Passwordless Login Fallback Enabled",
-                  "description": "This setting allows the code method to always login a user with code if they have registered with another authentication method such as password or social sign in.",
-                  "default": false
-                },
                 "enabled": {
                   "type": "boolean",
                   "title": "Enables Code Method",
@@ -2879,6 +2873,21 @@
         }
       }
     },
+    "security": {
+      "type": "object",
+      "properties": {
+        "account_enumeration": {
+          "type": "object",
+          "properties": {
+            "mitigate": {
+              "type": "boolean",
+              "default": false,
+              "description": "Mitigate account enumeration by making it harder to figure out if an identifier (email, phone number) exists or not. Enabling this setting degrades user experience. This setting does not mitigate all possible attack vectors yet."
+            }
+          }
+        }
+      }
+    },
     "version": {
       "title": "The kratos version this config is written for.",
       "description": "SemVer according to https://semver.org/ prefixed with `v` as in our releases.",

examples/go/pkg/common.go

@@ -11,11 +11,9 @@ import (
 	"os"
 	"testing"
 
-	"github.com/ory/kratos/x"
-
-	"github.com/ory/kratos/internal/testhelpers"
-
 	ory "github.com/ory/client-go"
+	"github.com/ory/kratos/internal/testhelpers"
+	"github.com/ory/kratos/x"
 )
 
 func PrintJSONPretty(v interface{}) {

internal/client-go/.openapi-generator/FILES

@@ -15,6 +15,7 @@ docs/ConsistencyRequestParameters.md
 docs/ContinueWith.md
 docs/ContinueWithRecoveryUi.md
 docs/ContinueWithRecoveryUiFlow.md
+docs/ContinueWithRedirectBrowserTo.md
 docs/ContinueWithSetOrySessionToken.md
 docs/ContinueWithSettingsUi.md
 docs/ContinueWithSettingsUiFlow.md
@@ -99,6 +100,7 @@ docs/UiText.md
 docs/UpdateIdentityBody.md
 docs/UpdateLoginFlowBody.md
 docs/UpdateLoginFlowWithCodeMethod.md
+docs/UpdateLoginFlowWithIdentifierFirstMethod.md
 docs/UpdateLoginFlowWithLookupSecretMethod.md
 docs/UpdateLoginFlowWithOidcMethod.md
 docs/UpdateLoginFlowWithPasskeyMethod.md
@@ -139,6 +141,7 @@ model_consistency_request_parameters.go
 model_continue_with.go
 model_continue_with_recovery_ui.go
 model_continue_with_recovery_ui_flow.go
+model_continue_with_redirect_browser_to.go
 model_continue_with_set_ory_session_token.go
 model_continue_with_settings_ui.go
 model_continue_with_settings_ui_flow.go
@@ -219,6 +222,7 @@ model_ui_text.go
 model_update_identity_body.go
 model_update_login_flow_body.go
 model_update_login_flow_with_code_method.go
+model_update_login_flow_with_identifier_first_method.go
 model_update_login_flow_with_lookup_secret_method.go
 model_update_login_flow_with_oidc_method.go
 model_update_login_flow_with_passkey_method.go

internal/client-go/README.md

@@ -142,6 +142,7 @@ Class | Method | HTTP request | Description
  - [ContinueWith](docs/ContinueWith.md)
  - [ContinueWithRecoveryUi](docs/ContinueWithRecoveryUi.md)
  - [ContinueWithRecoveryUiFlow](docs/ContinueWithRecoveryUiFlow.md)
+ - [ContinueWithRedirectBrowserTo](docs/ContinueWithRedirectBrowserTo.md)
  - [ContinueWithSetOrySessionToken](docs/ContinueWithSetOrySessionToken.md)
  - [ContinueWithSettingsUi](docs/ContinueWithSettingsUi.md)
  - [ContinueWithSettingsUiFlow](docs/ContinueWithSettingsUiFlow.md)
@@ -222,6 +223,7 @@ Class | Method | HTTP request | Description
  - [UpdateIdentityBody](docs/UpdateIdentityBody.md)
  - [UpdateLoginFlowBody](docs/UpdateLoginFlowBody.md)
  - [UpdateLoginFlowWithCodeMethod](docs/UpdateLoginFlowWithCodeMethod.md)
+ - [UpdateLoginFlowWithIdentifierFirstMethod](docs/UpdateLoginFlowWithIdentifierFirstMethod.md)
  - [UpdateLoginFlowWithLookupSecretMethod](docs/UpdateLoginFlowWithLookupSecretMethod.md)
  - [UpdateLoginFlowWithOidcMethod](docs/UpdateLoginFlowWithOidcMethod.md)
  - [UpdateLoginFlowWithPasskeyMethod](docs/UpdateLoginFlowWithPasskeyMethod.md)

internal/client-go/go.sum

@@ -4,6 +4,7 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=