0
  1. I go to my application and check if there is JWT cookie
  2. If it is there, I parse it and start to verify if user have access to my application
  3. If it is not there, I will redirect user to authenticate in FusionAuth
  4. After successful login, user will be redirected back to my application

How do I specify in step 3 fusionauth id of my application?

And how do I specify that I want to redirect to my application after successful login?

I assume that fusionauth is running on fusionauth.mydomain.com and application on myapp.mydomain.com and JWT cookie will be issued in mydomain.com, so it will be visible for both.

Ľubomír Mlích
  • 649
  • 6
  • 12

2 Answers2

0

This appears to be a standard OAuth Authorization Code Grant workflow. We have this workflow and many others documented here:

https://fusionauth.io/articles/logins/types-of-logins-authentication-workflows

My guess is that your specific workflow is likely the Authorization Code Grant for Single-Page Applications using JWTs and Refresh Tokens that is documented here:

https://fusionauth.io/articles/logins/spa/oauth-authorization-code-grant-jwts-refresh-tokens-cookies

The way that this works is that you start the OAuth workflow from your application by redirecting the browser to FusionAuth's /oauth2/authorize endpoint. You will need to supply this information to start the OAuth workflow:

  • client_id - this can be found under the Application configuration in FusionAuth
  • response_type - for the Authorization Code grant, this will be code
  • redirect_uri - this is the location you want the user to return to after they log in with FusionAuth. You must configure this URI in FusionAuth under the Application's OAuth configuration tab.

If you are running FusionAuth 1.6.0 or newer, you can also click the "View" icon for your Application and it will display a pop-up dialog that will contain the OAuth URL. You will still need to specify the redirect_uri though. Here is the documentation page for the Authorize endpoint:

https://fusionauth.io/docs/v1/tech/oauth/endpoints#authorize

Once you have that working, you will need to write the Controller for your redirect_uri. This Controller will take the code from the URL that FusionAuth generates and call the /oauth2/token endpoint. This process will exchange the authorization code for an access token, which is a JWT.

The documentation for the /oauth2/otken endpoint is located there:

https://fusionauth.io/docs/v1/tech/oauth/endpoints#token

This will help you implement your Controller.

voidmain
  • 1,625
  • 1
  • 14
  • 14
0

Yes, this is possible.

In step 3, you will redirect the browser to the FusionAuth login page. Navigate to Settings --> Applications in the FusionAuth UI and click on the green view button for the application in questio.

This will bring up a dialog which will show integration information (if you're on a recent version of FusionAuth).

You'll see a link something like this:

OAuth IdP login URL: https://fusionauth.mydomain.com/oauth2/authorize?client_id=ee31103f-2fc1-4bb5-ba95-ac543693503e&response_type=code&redirect_uri={your URI here}

The client_id parameter in this case will identify your application to FusionAuth.

And how do I specify that I want to redirect to my application after successful login?

This is configured in FusionAuth as an authorized redirect, and then you specify this same URL when redirecting to FusionAuth to login. Notice the redirect_uri parameter in the example URL above. There is a screenshot of this configuration here: https://fusionauth.io/docs/v1/tech/oauth/overview

I assume that fusionauth is running on fusionauth.mydomain.com and application on myapp.mydomain.com and JWT cookie will be issued in mydomain.com, so it will be visible for both.

FusionAuth does not currently drop cross domain cookies. If you are running FusionAuth at fusionauth.mydomain.com the Cookie will have that same domain and not be visible to myapp.mydomain.com.

If you want to leverage FusionAuth, then you do not need to inspect the cookie on myapp.mydomain.com, you'll simply redirect the user if they are not logged in and then if the user already has a SSO session on FusionAuth, they will be seamlessly redirected back to your application.

You can review our login workflows to identify the one that fits your requirements the best and then follow the recommended workflow. https://fusionauth.io/articles/logins/types-of-logins-authentication-workflows

robotdan
  • 1,022
  • 1
  • 9
  • 17