Login & Auth Workflows

WebApp OAuth Login Using Resource Owner Password Credentials Grant With Sessions And Refresh Tokens

By Brian Pontarelli

This workflow is used by web applications using the FusionAuth OAuth login interface. The web application navigates over to FusionAuth and then FusionAuth redirects back to the web application at the end of the OAuth workflow. Below is a diagram that describes the primary components of this workflow and how they interact. Keep in mind that not every interaction is covered here, just the primary login interactions. At the bottom of the diagram is a discussion of the key steps.

For all of our examples, we use a store and a forum for the same company. The store requires a user to login to view their shopping cart and the forum requires the user to login to view forum posts. We also provide a couple of example attack vectors that hackers could use if portions of the system are compromised. These cases might be theoretical or based on known exploits such as XSS (cross-site scripting).

Diagram

Legend

() --> request/response bodies
{} --> request parameters
[] --> cookies
BrowserStoreForumsFusionAuthHackerInitializeLogin (inside WebApp)Shopping cart loadSession expiresRefresh token still validShopping cart loadSession expiresRefresh token expiresRe-loginSSO login to forums - not provided by FusionAuth for this workflowInitializeLogin (inside WebApp)Forum loadAttack vectorsStolen refresh tokenStolen session idGET /1(HTML, CSS & JavaScript - with login link)2GET /login3(Login form HTML)4POST /login5POST /oauth2/token(grant_type=password)6(Refresh Token and JWT)7Create session andstore User in it8302 Location: /shopping-cart[SessionId and Refresh token HttpOnly w/ domain: store.example.com]9GET /shopping-cart[SessionId and Refresh token HttpOnly w/ domain: store.example.com]10Session extended11(Shopping cart HTML)12GET /shopping-cart[SessionId and Refresh token HttpOnly w/ domain: store.example.com]13POST /oauth2/token or POST /api/jwt/refresh(grant_type=refresh and refresh token)14(JWT)15Create new session andstore User in it16(Shopping cart contents)[New SessionId HttpOnly w/ domain: store.example.com]17GET /shopping-cart[SessionId and Refresh token HttpOnly w/ domain: store.example.com]18POST /oauth2/token or POST /api/jwt/refresh(grant_type=refresh and refresh token)19404 Missing20302 Location: /login21Login same as above22GET /[No cookies]23(HTML, CSS & JavaScript - with login link)24GET /login25(Login form HTML)26POST /login27POST /oauth2/token(grant_type=password)28(Refresh Token and JWT)29Create session andstore User in it30302 Location: /posts[SessionId and Refresh Token HttpOnly w/ domain: forums.example.com]31GET /posts[SessionId and Refresh token HttpOnly w/ domain: forums.example.com]32Session extended33(Forum posts HTML)34GET /shopping-cart[Refresh token and bad session id HttpOnly w/ domain: store.example.com]35POST /oauth2/token or POST /api/jwt/refresh(grant_type=refresh and refresh token)36(JWT)37Create session andstore User in38(Shopping cart HTML)[New JWT HttpOnly w/ domain: store.example.com]39GET /shopping-cart[SessionId HttpOnly w/ domain: store.example.com]40Session extended41(Shopping cart HTML)42BrowserStoreForumsFusionAuthHacker

Explanation

  1. The browser requests the shopping cart webapp's homepage from the application backend
  2. The application backend responds with the HTML, CSS & JavaScript of the homepage
  3. The user clicks the login link and the browser requests the login page from the application backend
  4. The application backend responds with the HTML, CSS & JavaScript of the login page (including the form)
  5. The user inputs their credentials and clicks the submit button. The browser POSTs the form data to the application backend
  6. The application backend calls the OAuth token endpoint in FusionAuth by passing in the credentials it received plus a grant_type of password, which indicates it is using the resource owner password credentials grant in FusionAuth's OAuth 2 backend
  7. FusionAuth returns a 200 status code stating that the credentials were okay. It also returns a JWT and a refresh token in JSON
  8. The application backend receives the 200 from FusionAuth and creates a server-side session and stores the User object (or JWT) in it
  9. The application backend returns a redirect to the browser instructing it to navigate to the user's shopping cart. The id for the server-side session is written back to the browser in an HTTP cookie. The refresh token from FusionAuth is also written back to the browser in an HTTP cookie. These cookies are HttpOnly, which prevents JavaScript from accessing them, making them less vulnerable to theft. Additionally, all requests from the browser to the application backend will include these cookies so that the backend can retrieve the User object from the server-side session and refresh their session if it expires
  10. The browser requests the user's shopping cart from the application backend and includes the session and refresh token cookies
  11. The application backend looks up the server-side session associated with the session cookie and extends the expiration date
  12. The application backend loads the User object (or JWT) from the server-side session. The backend then looks up the user's shopping cart from the database (or similar location). Finally, the application backend returns the user's shopping cart as HTML, CSS & JavaScript that the browser renders
  13. A while later, the user's session expires and the user clicks on their shopping cart again. The browser requests the shopping cart from the application backend and sends the session id and refresh token cookies to the application backend
  14. The application backend attempts to load the server-side session associated with session cookie and realizes it is expired. Since the browser also sent across the refresh token, the application backend calls the JWT refresh API in FusionAuth with the refresh token
  15. FusionAuth looks up the refresh token and returns a new JWT
  16. The application backend receives the 200 from FusionAuth and creates a server-side session and stores the User object (or JWT) in it
  17. The application backend responds with the user's shopping cart HTML, CSS & JavaScript that the browser renders. It also includes the new session id as a cookie that replaces the old session id in the browser
  18. A while later, the user's server-side session and refresh token both expire and the user clicks on their shopping cart again. The browser requests the shopping cart from the application backend and sends the session and refresh token cookies to the application backend
  19. The application backend attempts to load the server-side session associated with session cookie and realizes it is expired. Since the browser also sent across the refresh token, the application backend calls the JWT refresh API in FusionAuth with the refresh token
  20. Since the refresh token has expired, FusionAuth returns a 404 status code
  21. Since FusionAuth returned a 404 status code, the application backend returns a redirect to the browser that sends the user to the login page
  22. The user can log in the same way they did above
  23. The browser requests the forum webapp's homepage from the application backend. This is a standard SSO login, but because of the way this workflow manages cookies and identities, FusionAuth does not provide SSO capabilities automatically
  24. The application backend responds with the HTML, CSS & JavaScript of the homepage
  25. The user clicks the login link and the browser requests the login page from the application backend
  26. The application backend responds with the HTML, CSS & JavaScript of the login page (including the form)
  27. The user inputs their credentials and clicks the submit button. The browser POSTs the form data to the application backend
  28. The application backend calls the OAuth token endpoint in FusionAuth by passing in the credentials it received plus a grant_type of password, which indicates it is using the resource owner password credentials grant in FusionAuth's OAuth 2 backend
  29. FusionAuth returns a 200 status code stating that the credentials were okay. It also returns a JWT and a refresh token in JSON
  30. The application backend receives the 200 from FusionAuth and creates a server-side session and stores the User object (or JWT) in it
  31. The application backend returns a redirect to the browser instructing it to navigate to the user's forum posts. The id for the server-side session is written back to the browser in an HTTP cookie. The refresh token from FusionAuth is also written back to the browser in an HTTP cookie. These cookies are HttpOnly, which prevents JavaScript from accessing them, making them less vulnerable to theft. Additionally, all requests from the browser to the application backend will include these cookies so that the backend can retrieve the User object from the server-side session and refresh their session if it expires
  32. The browser requests the user's forum posts from the application backend and includes the session and refresh token cookies
  33. The application backend looks up the server-side session associated with the session cookie and extends the expiration date
  34. The application backend loads the User object (or JWT) from the session associated with the session cookie. The backend then looks up the user's forum posts from the database (or similar location). Finally, the application backend returns the user's forum posts as HTML, CSS & JavaScript that the browser renders
  35. This is an attack vector where the attacker has stolen the user's refresh token. Here, the attacker requests the user's shopping cart with the stolen refresh token and an invalid session id
  36. The application backend verifies the session id and realizes it is invalid. Since the browser also sent across the refresh token, the application backend calls the JWT refresh API in FusionAuth with the refresh token
  37. FusionAuth looks up the refresh token and returns a new JWT
  38. The application backend receives the 200 from FusionAuth and creates a server-side session and stores the User object (or JWT) in it
  39. The application backend uses the JWT to look up the user's shopping cart. It responds to the attacker with the user's shopping cart HTML, CSS & JavaScript. It also includes the new session id as a cookie that attacker can now use
  40. This is an attack vector where the attacker has stolen the user's session cookie. Here, the attacker requests the user's shopping cart with the stolen session cookie
  41. The application backend looks up the server-side session associated with the session cookie and extends the expiration date
  42. The application backend uses the session to look up the user's shopping cart. It responds to the attacker with the user's shopping cart HTML, CSS & JavaScript

Security considerations

This workflow is one of the more secure methods of authenticating users. One downside is that the application backend receives passwords from the browser. While this isn’t an issue if TLS is used and the passwords are not stored by the application backend, developers that do not want to be part of the password chain of responsibility should consider other workflows.

APIs used

Here are the FusionAuth APIs used in this example: