Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

The <https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow|User login and consent flow> documentation page states that the login UI should use CSRF tokens (a form of CSRF mitigation) in the login form. However, CSRF only makes sense when a request (such as a POST request) changes the state of the user session (e.g. login CSRF) or has a side-effect that depends on the user session ("normal" CSRF). But the login UI doesn't even have user sessions. Any request which the attacker could do via a cross-site request through the user's browser could also be done by the attacker through his own browser and would have the same effect.

So what's the point in mitigating against CSRF in the login UI?