MFA screen includes OIDC buttons

[jonas-jonas]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

When configuring both MFA via code and OIDC, the MFA login flow contains UI nodes for the OIDC buttons. Since Kratos' OIDC strategy does not support carrying over the MFA status from a third party OIDC provider, there is no reason for the OIDC button to be there.

Reproducing the bug

1. enable code for mfa and atleast one oidc provider
2. set session.aal_required to highest_available
3. obtain a session
4. see the MFA screen with both the code button and the OIDC button

Relevant log output

Relevant configuration

Version

master

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

[aeneasr]

Is this with identifier first or without?

[aeneasr]

Pretty sure this is a bug in the oidc strategy, specifically here:

https://github.com/ory-corp/cloud/blob/9c6693502d530ae1dd081248b462d8f4a1efb356/kratos/kratos/internal/b2bsso/strategy_login.go#L39-L47

I wasn't aware that the b2b sso strategy completely replaces the kratos native oidc strategy. To fix this, firstfactor should only be populated when b2b sso is enabled + tests