ory · aeneasr · Jul 5, 2023 · Jul 5, 2023
@@ -31,7 +31,6 @@ const (
 	NoAuthenticatorAssuranceLevel AuthenticatorAssuranceLevel = "aal0"
 	AuthenticatorAssuranceLevel1  AuthenticatorAssuranceLevel = "aal1"
 	AuthenticatorAssuranceLevel2  AuthenticatorAssuranceLevel = "aal2"
-	AuthenticatorAssuranceLevel3  AuthenticatorAssuranceLevel = "aal3"
 )
 
 // CredentialsType  represents several different credential types, like password credentials, passwordless credentials,

@@ -28,8 +28,6 @@ func TestCredentialsEqual(t *testing.T) {
 func TestAALOrder(t *testing.T) {
 	assert.True(t, NoAuthenticatorAssuranceLevel < AuthenticatorAssuranceLevel1)
 	assert.True(t, AuthenticatorAssuranceLevel1 < AuthenticatorAssuranceLevel2)
-	assert.True(t, AuthenticatorAssuranceLevel1 < AuthenticatorAssuranceLevel3)
-	assert.True(t, AuthenticatorAssuranceLevel2 < AuthenticatorAssuranceLevel3)
 }
 
 func TestParseCredentialsType(t *testing.T) {

@@ -226,13 +226,6 @@ func (s *ManagerHTTP) FetchFromRequest(ctx context.Context, r *http.Request) (_
 	}
 
 	expand := identity.ExpandDefault
-	if s.r.Config().SessionWhoAmIAAL(r.Context()) == config.HighestAvailableAAL {
-		// When the session endpoint requires the highest AAL, we fetch all credentials immediately to save a
-		// query later in "DoesSessionSatisfy". This is a SQL optimization, because the identity manager fetches
-		// the data in parallel, which is a bit faster than fetching it in sequence.
-		expand = identity.ExpandEverything
-	}
-
 	se, err := s.r.SessionPersister().GetSessionByToken(ctx, token, ExpandEverything, expand)
 	if err != nil {
 		if errors.Is(err, herodot.ErrNotFound) || errors.Is(err, sqlcon.ErrNoRows) {
@@ -277,6 +270,11 @@ func (s *ManagerHTTP) DoesSessionSatisfy(r *http.Request, sess *Session, request
 	ctx, span := s.r.Tracer(r.Context()).Tracer().Start(r.Context(), "sessions.ManagerHTTP.DoesSessionSatisfy")
 	defer otelx.End(span, &err)
 
+	// If we already have AAL2 there is no need to check further because it is the highest AAL.
+	if sess.AuthenticatorAssuranceLevel > identity.AuthenticatorAssuranceLevel1 {
+		return nil
+	}
+
 	managerOpts := &options{}
 
 	for _, o := range opts {

@@ -114,12 +114,12 @@ func TestPersister(ctx context.Context, conf *config.Config, p interface {
 			})
 
 			t.Run("case=update session", func(t *testing.T) {
-				expected.AuthenticatorAssuranceLevel = identity.AuthenticatorAssuranceLevel3
+				expected.AuthenticatorAssuranceLevel = identity.AuthenticatorAssuranceLevel1
 				require.NoError(t, p.UpsertSession(ctx, &expected))
 
 				actual, err := p.GetSessionByToken(ctx, expected.Token, session.ExpandDefault, identity.ExpandDefault)
 				check(actual, err)
-				assert.Equal(t, identity.AuthenticatorAssuranceLevel3, actual.AuthenticatorAssuranceLevel)
+				assert.Equal(t, identity.AuthenticatorAssuranceLevel1, actual.AuthenticatorAssuranceLevel)
 			})
 
 			t.Run("case=remove amr and update", func(t *testing.T) {