Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Confused now about the CSRF token in login flow. I understand what it's for and how to send it, but am very confused about where my UI should get it from, having read the docs multiple times and searched this channel for previous questions.

Thus far, I have a part-implementation of Hydra+Kratos integration with my own UI, and a reference installation on a different system using the kratos-selfservice-ui-node demo. My own is stuck at the point of needing to obtain the csrf token in order to send it to Kratos with the user's credentials. The only place I can identify it as being available is through the `/selfservice/login/flows?id=...` endpoint, but watching in my browser's network console what the reference demo does when successfully going through a login flow, it makes not calls to this. I imagine any such calls must be client (browser) side and therefore I'd see them, because it seems they themselves require valid cookies to be set. It does get the csrf_token from somewhere, but for the life of me I can't see where.

I'm sure I'm missing something obvious, but it doesn't seem to be (clearly) documented anywhere.

Answered my own question thanks to a hint <https://www.ory.sh/docs/troubleshooting/csrf|in here>.
It's a server side call to the flows endpoint, but using the csrf_token cookies from the client. Obvious, really.