I feel like I am missing something obvious, but I can not figure out the answer myself.
I am integrating the hydra with existing users following the guidelines here. My web app presents the login/password challenge to end user and makes API call to https://hydra/oauth2/auth/requests/login/accept
, if username/password combinations leads to known user. I understand the accept
call returns the redirect_to url, which my login screen app should finally use in order redirect the user’s agent.
I do not understand one thing. What does stop end user (evil hacker) to intercept login_challenge
key and invoke the accept
API call using any rest client in order to complete the login procedure successfully bypassing the login screen challenge?