Auth0-react maintaining authentication on page refresh

georgelt · December 1, 2020, 2:14am

I’ve setup a React SPA using the auth0-react SDK to manage authentication, and I’m having an issue with handling authentication after page refreshes.

After a page refresh, the authentication is lost as I’m only storing the tokens in memory. To handle this I could simply set the cacheLocation on the Auth0Provider to local storage, but I’d like to avoid the security drawbacks with that approach.

Is there a way to configure it to only store the refresh token in local storage? Then on page refresh it could get a new access token using the refresh token. This way I could get the benefits of the refresh token usage detection if the refresh token happened to be leaked.

Is this something that I would have to manually implement?

auth0-react v1.1.0

mmosttler · January 8, 2021, 11:18pm

@georgelt were you able to resolve this issue? did you have to do something manually outside of the Auth0 React SDK?

zacharykane · January 12, 2021, 4:28am

I’d also love to know how to achieve this. I had gotten the impression that Refresh Tokens were the answer to the safely maintaining sessions problem. After you enabled these on the API project, the SPA project, and the Auth0 JS client then calls to getTokenSilently would simply “work”.

Do I have this wrong?