Hey, we've integrated in our company Ory Kratos & Hydra, have some very strange issues with getting tokens with PKCE flow. When we get token from different mobile phones (public oauth 2.0 client for mobile application) with different users, I can get someone else's token (seems like extremely not secure) and log in with that user instead of mine. Couple of times we even managed to both log in with same user, but provided different sets of credentials on login page. If it matters we use consent page and fill some claims on it. We use self-hosted Kratos v 0.11.1 and Hydra v 2.0.3. Please advise where we need to dig to find out what is the problem, mb some misconfigurations...

log:
  leak_sensitive_values: true
  level: debug
oauth2:
  expose_internal_errors: true
oidc:
  subject_identifiers:
    supported_types:
    - public
serve:
  admin:
    port: 4445
  public:
    cors:
      enabled: true
    port: 4444
strategies:
  access_token: jwt
  scope: exact

Hello Normand, are you able to share your integration code? Without it can be hard for us to know what is going on. The config is looking fine, but I also have not tried this out in self-hosting myself…

I can get someone else’s token (seems like extremely not secure) and log in with that user instead of mine.

That does not sound good, I think it probably has something to do with the integration. There are some efforts in the community to provide an example integration, that would probably be helpful for these cases… (https://github.com/ory/examples/pull/67)

Sorry, I forgot to mention that this bug with tokens is reproduceable when we try to login at the same time with different set of credentials. We are using the unchanged images for hydra, kratos, self-service-node-ui. In the consent page we code to fill user claims from sessions/whoami. Am I missing something and it isn't enough for MVP? Now we plan to write our custom portal on React with consent page integrated in it, but having such a weird behavior with tokens blocks us to move further.