Auth0 Angular how to not use localstorage

I have an Angular 16 project which I have served as a pwa. I would like to not use localstorage as the cache location for tokens but so far I haven’t been able to get the user experience to be anywhere near as great. Here is my AuthModule:

AuthModule.forRoot({
domain: environment.auth0Domain,
clientId: environment.auth0ClientId,
authorizationParams: {
redirect_uri: window.location.origin,
audience: environment.auth0Audience,
scope: ‘openid profile email offline_access’,
},
useRefreshTokens: true,
httpInterceptor: {
allowedList: [{
uri: environment.auth0ApiUri
}]
}
}),

I am able to refresh the page and the user remains logged in but it is doing the full redirect to auth0 so my app loads much slower. I have read an article about using silent authentication and then this article that talks about refresh tokens but I don’t understand how that will be able to work well either since everything is still in memory and gets lost on refresh. Am I misunderstanding the article?

Right now it seems like it my refresh is working because my app via the AuthGuard realizes it’s on a protected route, thinks the user is not logged in so it redirects to the auth server, the auth server then recognizes that there was a session from this device/browser before and returns without having the user log in all over again(essentially returning the previous session). This works but the real problem is that it takes 1.5 seconds to complete this process while the localstorage solution loads in under half a second.

Hopefully I am just missing something but I have kept the setup pretty simple in that I have really just followed the quickstart for angular and then the calling an api followup steps.

Thank you in advance for your help!

I am on:
@auth0/auth0-angular: ^2.2.1
and
@auth0/auth0-spa-js: ^2.1.2

Hey there @Stanman!

Your understanding sounds spot on to me. If you have a refresh token in place, when the SDK goes to check the session and it’s expired it will use the refresh token to request new token(s).

This is exactly the expected behavior when storing in memory which is the default behavior - Upon a page refresh the SDK will check for a valid session by attempting to silently authenticate the user using these tokens, without them having to log in again. Unfortunately, this is expected to be slower than relying on localstorage due to the nature of the check.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.