I am thinking of using Hydra for my application. To explain my question, I will be referring to three parties: My app’s website client (maf), My app’s backend (mab) and 3rd party app that wants to integrate with mine (3pa).
While 3pa can communicate with mab via sessions managed by Hydra (which are secure since it follows OAuth 2.0 spec), I see no secure provision to enable maf to communicate with mab after user login. This is important for me since if the session management between maf and mab is weak, it becomes the bottleneck to user security in my app. If that session token is stolen, the attacker can generate many OAuth access and refresh tokens to access mab on behalf of the victim.
I saw the example repo, hoping that I can see the missing part there. So my question are:
- I saw that it uses a login challenge to somehow maintain a session across maf and mab. Is this correct? If so, where is this challenge being stored on the frontend? Localstorage or cookies? If not correct, then how is session being maintained across maf and mab once the end-user logs in?
- If the login challenge is being used to maintain the session, then isn’t that equivalent to just have one long-lived, non-changing access token?
- Is there any other way to create a session across maf and mab that is more secure?