Hello. I'm using Kratos browser flow for a project and I'm having a few questions. It it really by design that the user is redirected two times when starting i.e. a registration flow? Or am I doing something wrong? Is there a way to fetch the CSRF token and flow ID on the server side and just serve the reservation UI with all data in place? Or is that what the API flow is for? Also, why exactly is it not recommended to use the API flow for web servers? Is it fine to use it as long as I do anti-CSRF-measures properly or are there other attack vectors as well? Lastly, when using the browser flow. Is it possible to hide the implementation details by customizing parameters names? As soon as an attacker sees &flow= in the URL, they'd know I'm using Kratos, no? Proxying the requests on the server side seems awkward because the flow is supposed to redirect the user, not the server. Could someone clear this up for me? Thank you.

Hello @nice-fish-57602 see here for a detailed overview of the registration flow: https://www.ory.sh/docs/kratos/self-service/flows/user-registration The API flow is designed for clients that dont have a browser - such as mobile or native apps - if there is a browser involved use the browser flow, otherwise use the API flow. (https://www.ory.sh/docs/identities/native-browser)

Is it possible to hide the implementation details by customizing parameters names?

It's possible probably, but as you said its going to be awkward and complicated. I wonder what the threat model is in this case, could you provide some detail why knowing a service uses Ory would be an issue?

@magnificent-energy-493 Hey, I've checked the docs already. I went in with the mindset of using Kratos like an API, but it seems like it's recommended to use it as a user-facing service instead.

I wonder what the threat model is in this case, could you provide some detail why knowing a service uses Ory would be an issue?

I'd imagine it's easier to attack something if you know what you're dealing with. Could just enumerate known CVEs if you see &flow= in the URL for example without any knowledge of the system whatsoever. I know, security by obscurity, but imo the less implementation detail I have to leak, the better.