Recently i’m integrating the oauth authorization flow into our application. I implemented a simple login-consent app to get the access token and it works fine with browser. We plan to use the token generated by hydra to protect our API. However as a BE developer we might not contact the FE page(browser) in the development stage, especially when we write the integration test we expect that we can get the token by calling an api. i tried to get the token by trigger the authorisation flow in the BE but i always get stuck when the login provider try to redirect to consent from err (“The CSRF value from the token does not match the CSRF value from the data store”). When i debug i found that the hydra didn’t provide the csrf value in cookie if i didn’t trigger the request from browser so that might be the reason for this issue?
so my question is what is the best practice to work with hydra for BE developer/tester when you tried to get the access token in development/testing stage without integrate with browser?