Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi Everyone,

Query: Does flow ID have security concerns if we expose it on the client side?

see <https://github.com/ory/kratos/issues/1282>

Hi <@U010UKXCPP0> Based on these issues, I have a few use cases in mind, like below:
1. Is there any expiration time for the flow ID?
2. As per this issue, it will be problematic if I use the flow id in the URL, as if I share the URL with another user, it will be an issue. But what if i am not exposing or attaching flow id with the URL and making flow id a part of my request body of the login API. 
3. Is there any other security concern apart from this?

Hi <@U010UKXCPP0> Any update over my queries above? I would really appreciate your support. Thanks in advance.

yes, the flows expire and need to be restarted

if it is not in the URL, then it is probably hard to leak, so yeah

the only concern is leaking of partially filled out form data, which probably is PII