Where to store the refresh token on the Client?
My SPA application uses the following architecture (source):
This assumes that my client application knows about the refresh token, because I need it to request a new access token if no user credentials (e.g. email/password) are present.
My question: Where do I store the refresh token in my client-side application? There are lots of questions/answers about this topic on SO, but regarding the refresh token the answer are not clear.
Access token and refresh token shouldn't be stored in the local/session storage, because they are not a place for any sensitive data. Hence I would store the access token in a httpOnly cookie (even though there is CSRF) and I need it for most of my requests to the Resource Server anyway.
But what about the refresh token? I cannot store it in a cookie, because (1) it would be send with every request to my Resource Server as well which makes it vulnerable to CSRF too and (2) it would send expose both access/refresh token with an identical attack vector.
There are three solutions I could think of:
1) Storing the refresh token in an in-memory JavaScript variable, which has two drawbacks:
- a) It's vulnerable to XSS (but may be not as obvious as local/session storage
- b) It looses the "session" if a user closes the browser tab
Especially the latter drawback makes will turn out as a bad UX.
2) Storing the access token in session storage and sending it via a Bearer access_token authorization header to my resource server. Then I can use httpOnly cookies for the refresh token. This has one drawback that I can think of:
- a) The refresh token is exposed to CSRF with every request made to the Resource Server.
3) Keep both tokens in httpOnly cookies which has the mentioned drawback that both tokens are exposed to the same attack vector.
Maybe there is another way or more than my mentioned drawbacks (please let me know), but in the end everything boils down to where do I keep my refresh token on the client-side? Is it httpOnly cookie or an in-memory JS variable? If it is the former, where do I put my access token then?
Would be super happy to get any clues about how to do this the best way from people who are familiar with the topic.
You can store tokens securely in HttpOnly cookies.
https://medium.com/@sadnub/simple-and-secure-api-authentication-for-spas-e46bcea592ad
If you worry about long-living Refresh Token. You can skip storing it and not use it at all. Just keep Access Token in memory (JavaScript variable) and do silent sign-in when Access Token expires.
Don't use
Implicitflow because it's obsolete.
The most secure way of authentication for SPA is Authorization Code with PKCE.
In general, it's better to use existing libraries based on oidc-client than building something on your own.
- What should we store in the session when using session-based authentication?
- Use React Authentication with .NET backend?
- How to authenticate large numbers of amazon S3 get requests
- Can a client-side login be safe?
- I'm trying to connect with my Heroku app and when I enter my email and password, it's asking me "Enter the code generated by your authenticator app."
- How to generate COMMON KEY RING to Share cookies across subdomains?
- django after submit login info, does not lead to intended detail view page
- Getting OAuth code challenge on loopback server
- Unable to login to GitHub account even with correct credentials
- 10 second delay between login and shell prompt.
- Accessing private Azure Blob Storage using BlobServiceClient
- Supabase signUp returning AuthRetryableFetchError 504
- Cypress can't find the password field in the Microsoft Login
- Where is correct place to authenticate users from multiple places?
- symfony - getting logged out at form->handleRequest
- Laravel auth vs Passport vs Sanctum
- Hit web endpoints behind Devise authentication with non-browser request in a Rails app
- HERE Geocoder API: authentication problem
- Cookie LoginPath not redirecting to path
- why my postman basic auth not working correctly?
- AWS Cognito: Missing Scopes in Access Token with Custom UI and Device Remember Functionality for MFA
- Cypress test starts from the begining for every test case
- Auth.js v5 Database Session Strategy for Credential Provider Returning Null
- NET MAUI unable to implement social login for Android and iOS
- Proper design for th Keycloak auth with APIs and UI
- AuthenticationFailed while calling azure api
- Django OAuth2 Authentication Failing in Unit Tests - 401 'invalid_client' Error
- ServiceStack JWT Refresh token uses Session identifier when used with OAuth AuthProvider
- No route matches [GET] "/users/sign_out"
- Sourcing R files in a private github folder