Hack login challenge by intercepting login_challenge key and accepting the login via Hydra REST API call?


I feel like I am missing something obvious, but I can not figure out the answer myself.

I am integrating the hydra with existing users following the guidelines here. My web app presents the login/password challenge to end user and makes API call to https://hydra/oauth2/auth/requests/login/accept, if username/password combinations leads to known user. I understand the accept call returns the redirect_to url, which my login screen app should finally use in order redirect the user’s agent.

I do not understand one thing. What does stop end user (evil hacker) to intercept login_challenge key and invoke the accept API call using any rest client in order to complete the login procedure successfully bypassing the login screen challenge?


Thanks. Got it. I missed that it uses admin API which is server side only API