Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

image.png

Hello!
I think frontend user-flow errors API exposes too much details of the underlying error. In case there is an error in communication to database or social provider (which is fixable, but network cannot be 100% reliable) the message might contain details such as ip addresses and I think it should not be available to the frontend API.
Have you had thoughts on restricting the message or mapping so that details are only in logs?

Agreed, this one should not leak to the client. It should be fairly simple to fix, our `herodot` library exposes the `WithReason` method. The reason only appears in logs, but is not send to the client.
Contributions welcome! :ory_love: