Hi !
I have been reading a lot these last days about oauth2/accessToken/localStorage/cookies/xss/csrf and i learned a lot of things while reading.
I’m only sceptical about one thing in Auth0 documentation: Auth0 Single Page App SDK
In the " Change storage options" section, you mention :
“Storing tokens in browser local storage provides persistence across page refreshes and browser tabs. However, if an attacker can achieve running JavaScript in the SPA using a cross-site scripting (XSS) attack, they can retrieve the tokens stored in local storage.”
However, in the “Call an API” section, you mention this method:
const accessToken = await auth0.getTokenSilently();
//The attacker could create auth0 variable with
const auth0 = new Auth0Client({
domain: '{yourDomain}',
clientId: '{yourClientId}'
});
//And then get the token + fetch data from API.
My question is, what does prevent an XSS attacker from calling const accessToken = await auth0.getTokenSilently() in a script (instead of localstorage) and then using it to call APIs ?
Thanks in advance and don’t hesitate to tell me if my question is not clear.