Does the login and consent flow have any protection against the following attack vector where it seems that an attacker can log in the victim into the attacker's account? 1. Client initiates login by redirecting the user to hydra.example.com/oauth2/auth 2. Hydra redirects the user to the login UI at login.example.com/auth/login?login_challenge=foo 3. The user decides to not log in right now and closes the browser tab 4. The attacker somehow gains knowledge of the login challenge (e.g. by physically being near the victim's computer screen and reading the URL bar) 5. The attacker visits the login UI at login.example.com/auth/login?login_challenge=foo and signs in 6. Instead of following the redirect back to hydra, the victim sends the redirect URL to the victim, e.g. by email. 7. The victim clicks on the redirect URL and is now logged into the attacker's account.

That attack should be mitigated by standard CSRF protection.

This attack cannot be mitigated by CSRF protection, because it doesn't involve any cross-site requests ...

Sounds plausible. Have you tried this?

Yes, I have tried this using two different browser sessions and it works. • Perform steps 1-3 in browser session A (victim) and copy the URL including

?login_challenge=...

• Perform step 5 in browser session B (attacker) and enter the credentials of the attacker's account. This makes a POST request to the IdP, obtaining a 302 response. Copy the Location from the response header. • Perform step 7 in browser session A and you're logged into the attacker's account.

Have you checked Ory's Security Policy? https://www.ory.sh/docs/ecosystem/security I would recommend you open a report via HackerOne so we can discuss internally.

I'll check