Login & Auth Workflows
Single-Page Application Native Login To Backend With Sessions And Refresh Tokens
By Brian Pontarelli
This workflow example is used by single-page applications using a native login form inside the webapp. This login form uses an AJAX POST
to send the user’s credentials (email and password) to the backend of the application. The application backend in turn calls to FusionAuth. Below is a backend-code login-page diagram that describes the primary components of this workflow and how they interact. Keep in mind that not every interaction is covered here, just the primary login interactions. At the bottom of the diagram is a discussion of the key steps.
For all of our examples, we use a store and a forum for the same company. The store requires a user to login to view their shopping cart and the forum requires the user to login to view forum posts. We also provide a couple of example attack vectors that hackers could use if portions of the system are compromised. These cases might be theoretical or based on known exploits such as XSS (cross-site scripting).
Diagram
Legend
() --> request/response bodies
{} --> request parameters
[] --> cookies
Explanation
- The browser requests the shopping cart single-page application from the application backend
- The application backend responds with the HTML, CSS & JavaScript of the application
- The browser loads the application and as part of the initialization process, it makes a request to the application backend to see if the user is logged in
- The application backend responds with a 404 indicating the user is not logged in
- The application renders the login form
- The user inputs their credentials and clicks the submit button. The browser AJAX
POST
s the form data to the application backend - The application backend calls the Login API in FusionAuth by passing in the credentials it received
- FusionAuth returns a 200 status code stating that the credentials were okay. It also returns the User object, a JWT and a refresh token in JSON
- The application backend receives the 200 from FusionAuth and creates a server-side session and stores the User object (or JWT) in it
- The application backend might return the User object to the browser if it needs it. The id for the server-side session is written back to the browser in an HTTP cookie. The refresh token from FusionAuth is also written back to the browser in an HTTP cookie. These cookies are HttpOnly, which prevents JavaScript from accessing them, making them less vulnerable to theft. Additionally, all requests from the browser to the application backend will include these cookies so that the backend can retrieve the User object from the server-side session and refresh their session if it expires
- The browser requests the user's shopping cart from the application backend via AJAX and includes the session and refresh token cookies
- The application backend looks up the server-side session associated with the session cookie and extends the expiration date
- The application backend loads the User object (or JWT) from the server-side session. The backend then looks up the user's shopping cart from the database (or similar location). Finally, the application backend returns the user's shopping cart contents (usually as JSON)
- A while later, the user's session expires and the user clicks on their shopping cart again. The browser requests the shopping cart from the application backend via AJAX and sends the session id and refresh token cookies to the application backend
- The application backend attempts to load the server-side session associated with session cookie and realizes it is expired. Since the browser also sent across the refresh token, the application backend calls the JWT refresh API in FusionAuth with the refresh token
- FusionAuth looks up the refresh token and returns a new JWT
- The application backend receives the 200 from FusionAuth and creates a server-side session and stores the User object (or JWT) in it
- The application backend responds with the user's shopping cart contents (usually as JSON). It also includes the new session id as a cookie that replaces the old session id in the browser
- A while later, the user's server-side session and refresh token both expire and the user clicks on their shopping cart again. The browser requests the shopping cart from the application backend via AJAX and sends the session and refresh token cookies to the application backend
- The application backend attempts to load the server-side session associated with session cookie and realizes it is expired. Since the browser also sent across the refresh token, the application backend calls the JWT refresh API in FusionAuth with the refresh token
- Since the refresh token has expired, FusionAuth returns a 404 status code
- Since FusionAuth returned a 404 status code, the application backend returns a 401 indicating that the user is no longer logged in
- At this point, the application can allow the user to log in the same way they did above
- The browser requests the forums single-page application from the application backend. This is a standard SSO login, but because of the way this workflow manages cookies and identities, FusionAuth does not provide SSO capabilities automatically
- The application backend responds with the HTML, CSS & JavaScript of the application
- The browser loads the application and as part of the initialization process, it makes a request to the application backend to see if the user is logged in
- The application backend responds with a 404 indicating the user is not logged in
- The application renders the login form
- The user inputs their credentials and clicks the submit button. The browser AJAX
POST
s the form data to the application backend - The application backend calls the Login API in FusionAuth by passing in the credentials it received
- FusionAuth returns a 200 status code stating that the credentials were okay. It also returns the User object, a JWT and a refresh token in JSON
- The application backend receives the 200 from FusionAuth and creates a server-side session and stores the User object (or JWT) in it
- The application backend might return the User object to the browser if it needs it. The id for the server-side session is written back to the browser in an HTTP cookie. The refresh token from FusionAuth is also written back to the browser in an HTTP cookie. These cookies are HttpOnly, which prevents JavaScript from accessing them, making them less vulnerable to theft. Additionally, all requests from the browser to the application backend will include these cookies so that the backend can retrieve the User object from the server-side session and refresh their session if it expires
- The browser requests the user's forum posts from the application backend via AJAX and includes the session and refresh token cookies
- The application backend looks up the server-side session associated with the session cookie and extends the expiration date
- The application backend loads the User object (or JWT) from the session associated with the session cookie. The backend then looks up the user's forum posts from the database (or similar location). Finally, the application backend returns the user's forum posts (usually as JSON)
- This is an attack vector where the attacker has stolen the user's refresh token. Here, the attacker requests the user's shopping cart with the stolen refresh token and an invalid session id
- The application backend verifies the session id and realizes it is invalid. Since the attacker also sent across the refresh token, the application backend calls the JWT refresh API in FusionAuth with the refresh token
- FusionAuth looks up the refresh token and returns a new JWT
- The application backend receives the 200 from FusionAuth and creates a server-side session and stores the User object (or JWT) in it
- The application backend uses the JWT to look up the user's shopping cart. It responds to the attacker with the user's shopping cart contents (usually as JSON). It also includes the new session id as a cookie that attacker can now use
- This is an attack vector where the attacker has stolen the user's session cookie. Here, the attacker requests the user's shopping cart with the stolen session cookie
- The application backend looks up the server-side session associated with the session cookie and extends the expiration date
- The application backend uses the session to look up the user's shopping cart. It responds to the attacker with the user's shopping cart contents (usually as JSON)
Security considerations
This workflow is one of the more secure methods of authenticating users. One downside is that the application backend receives passwords from the browser. While this isn’t an issue if TLS is used and the passwords are not stored by the application backend, developers that do not want to be part of the password chain of responsibility should consider other workflows.
APIs used
Here are the FusionAuth APIs used in this example: