ory.sh: Could not find they TOTP key in the internal context

[udf2457]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

Not very impressive !

Received this error when I tried to enable 2FA on Ory's own website !

An error occured
An unexpected error has occurred. If the problem persists please contact [email protected].
Could not find they TOTP key in the internal context. This is a code bug and should be reported to https://github.com/ory/kratos/.

Reproducing the bug

1. Create new account
2. Scan QR code
3. Click submit/save
4. Observe error

Relevant log output

No response

Relevant configuration

No response

Version

Ory website

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

[jonas-jonas]

Hi, thanks for the report. In which browser did you observe the issue?

[udf2457]

Hi

Brave (a.k.a. Chrome)

[aeneasr]

I was not able to reproduce this issue with the steps you provided. Can you please provide a reproducible case? Thank you!

[dirksierd]

We're seeing this error as well, with some users.
Microsoft Edge-browser. Attached the screenshot given user sent.

[rvzug]

Today the same as @dirksierd mentioned, an other client:

"error": {
"code": 500,
"message": "An internal server error occurred, please contact the
system administrator",
"reason": "Could not find they TOTP key in the internal context...."

This client mentioned that he used "Google Authenticator"

[aeneasr]

Can you please provide reproducible steps?

[rvzug]

Hi @aeneasr, i've tought on your request for STR for a while. The problem is, that is is user-dependant. We have two cases (@dirksierd and mine) but both cases need a validated e-mailadres to reproduce the error. And I can't/won't share the password and e-mailadress. If I change the e-mailadress, it just works normally.

STR:

1. Register the user by the requirements of the user-schema (I won’t publicly share the schema, but can share it in private)
2. Receive the e-mail verification and enter it in the UI
3. User is logged in the UI and can register a 2FA TOTP
4. User scans the QR-code with Microsoft Authenticator (user 1) or Google Authenticator (user 2)
5. User enters the 6-digit code in the verification field
6. User presses Save
7. Error occurs: Could not find they TOTP key in the internal context

Isn't it possible to reverse engeneer the issue based on the error-message? And provide us hints about what could be going wrong?

I've validated a couple of times that the returned code of app is right. When I enter a wrong 6-digit code, the normal behaviour is seen. So I guess that the code is validated succesfully, but than the error is served. My guess would be:

1. code is succesfully validated
2. key/token/whatever is NOT saved
3. some process can't find the TOTP key (eg. webhook-call?) in context

[aeneasr]

The error message suggests that there is a problem in the settings flow. So for example:

1. User opens settings
2. User changes email
3. Then tries to add TOTP
4. See error

If you could narrow down which interaction is causing the problem we can probably find the problem quickly!

[rvzug]

Today an other user (user 3) have seen the same error message. We've repeated the STR from scratch. I've validated that the user did not change the e-mail/other information, did not used any submit-button in the UI, other than the TOTP-submit-button.

Still the error is shown right after saving the TOTP-validation code in the UI.

I did check: The Ory Dashboard does indicate that the TOTP is set succesfully for this user.

@dirksierd can you validate that there are no changes trough any API that could interfer? I don't see any webhooks related to this in our configuration, though.

[aeneasr]

I believe this to be a dupe of: ory/kratos#2401

[dirksierd]

I've tried many different routes, but cannot reproduce. Linking and unlinking the TOTP-method works without problem as well.

Here's the steps with a bit more detail…

1. Go to our app
2. Press the 'login'-button
3. Get redirected to the Ory-hosted UI for our project (with ?return_to=APP_URL)
4. Choose 'sign up' and complete sign up flow (which has a webhook-check on POST)
5. Get redirected back to our app when succesfull
6. See a notice that AAL2 is required, with a button to go do so
7. Press the button (to: /ui/settings?return_to=APP_URL#totp) – creating a new flow
8. Usually: user links TOTP and gets redirected back, able to use the app
9. Sometimes: get the aforementioned error when trying to link TOTP

Ticket 2401 talks about logging in and out in-between. We could try that, but not sure. Step 7 tells me we're not re-using a flow to set the TOTP. It's a newly created flow.