Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I'm experimenting with kratos as a login/registration system and I noticed that even the self-service UI seems to redirect to the init flow endpoint rather than calling the endpoint directly - is that on purpose? Wouldn't that allow a user to intercept the redirect url and replace some of the query params? Or would it be better to just use the API client flows?

Yes - we need to prepare the login and protect against csrf and other attack vectors!

Right, I understand the CSRF vector - what I'm thinking of is: couldn't someone take the redirect URL and (as an example) replace or drop the aal param, so it would return to the application as a successful login, but wouldn't have the requested assurance level?

I'm probably misunderstanding something, it just seemed odd at first glance