Does Hydra also secure session management between app's frontend and backend?

I am thinking of using Hydra for my application. To explain my question, I will be referring to three parties: My app’s website client (maf), My app’s backend (mab) and 3rd party app that wants to integrate with mine (3pa).

While 3pa can communicate with mab via sessions managed by Hydra (which are secure since it follows OAuth 2.0 spec), I see no secure provision to enable maf to communicate with mab after user login. This is important for me since if the session management between maf and mab is weak, it becomes the bottleneck to user security in my app. If that session token is stolen, the attacker can generate many OAuth access and refresh tokens to access mab on behalf of the victim.

I saw the example repo, hoping that I can see the missing part there. So my question are:

  • I saw that it uses a login challenge to somehow maintain a session across maf and mab. Is this correct? If so, where is this challenge being stored on the frontend? Localstorage or cookies? If not correct, then how is session being maintained across maf and mab once the end-user logs in?
  • If the login challenge is being used to maintain the session, then isn’t that equivalent to just have one long-lived, non-changing access token?
  • Is there any other way to create a session across maf and mab that is more secure?

Thank you.

OAuth2 is not a protocol to manage sessions. Nor is OpenID Connect. There are OpenID Connect extensions that support session scenarios, but they are loosely coupled. They always involve a third party that you don’t trust.

I’d probably recommend something like ORY Kratos for your first-party scenario, and adding ORY Hydra on top to deal with 3rd party.

Thank you for your answer. I checked out Kratos, and I think it too uses a simple long lived access token for first party sessions. Is this correct? If yes, then this still doesn’t solve my security issues, which makes me wonder if I am overthinking this… Any thoughts please?

Probably :wink: Using Cookies for browser-based authentication is what basically everyone does, including Banks, Google, Amazon, IBM. The good thing about cookies: you can revoke them any time.