I feel like I am missing something obvious, but I can not figure out the answer myself.
I am integrating the hydra with existing users following the guidelines here. My web app presents the login/password challenge to end user and makes API call to
https://hydra/oauth2/auth/requests/login/accept, if username/password combinations leads to known user. I understand the
accept call returns the redirect_to url, which my login screen app should finally use in order redirect the user’s agent.
I do not understand one thing. What does stop end user (evil hacker) to intercept
login_challenge key and invoke the
accept API call using any rest client in order to complete the login procedure successfully bypassing the login screen challenge?