How to Ensure JWT Access Tokens Are Not Stolen in an Angular SPA + NestJS Setup?

franchelli.leo · January 22, 2025, 11:59pm

Hi everyone,

I’ve been following the blog posts and quickstart guides for building an Angular SPA with a NestJS backend, and everything is working great so far. However, I have a few concerns regarding security and would appreciate some guidance:

How can I ensure that the JWT access_token is coming from the intended browser and hasn’t been stolen?

In the past, I relied on HTTP-only cookies for this purpose. When a user logged in, I generated and signed the token on my backend, then stored a random string as an HTTP-only cookie associated with the token in cache. Every time the user sent a request with the JWT access_token, I validated both the token and the cookie in the cache to ensure they matched before allowing access.

Now, I see that the Angular SDK’s HttpInterceptor automatically appends the access_token to requests. Is there a way to hook into the login process or modify the behavior to reintroduce a similar cookie-based validation system?

Do I need to intercept the login response from the authorization server on my backend, create the HTTP-only cookie there, and then redirect the user back to the Angular SPA?

Or is there a newer, recommended approach to ensure the token is being used securely and from the intended browser?

Thanks in advance for your help!

vigneshSivasamy · January 23, 2025, 10:56am

Hi,

There is no way to fully secure the access token when using Angular. One way or another, any user can view the token once they are logged in. Yes, the Auth0 SDK will automatically make token calls.

I would recommend not sending sensitive information in the token that shouldn’t be publicly exposed.

Use backend API calls for communication with Auth0 when needed.

Typically, the access token only contains user roles, so avoid using it to share sensitive information.

If you can let me know what type of information you want to secure, I can suggest a different approach to manage it.

franchelli.leo · January 23, 2025, 11:53am

Hi,

It’s just the user credentials i don’t want them to be able to reply the token in a browser that is not intended to use those credentials, ie: copy token paste in postman or curl cli.

I did found this ietf current best practice “BFF” ( can’t paste link ) , so i think i’m going with this approach

Topic		Replies	Views
Authorization layer from Angular to NestJS Help classic-universal-login-experience , login-experience	2	479	March 21, 2024
SPA client (Angular) gets either Authorized or JWT requires 3 parts Help angular2 , express , hapi , jwt-validation	3	4653	March 2, 2018
401 when calling API (Spring) in a SPA (AngularJS) Help api , id_token , access_token , spring , angularjs	3	5211	July 25, 2019
Angular SPA Get Access Token to Call API Help api , id_token , access_token , access-token , bearer-token	9	10275	March 2, 2018
Getting the JWT id token from auth0-spa-js Help jwt , auth0 , id_token , login , access-token	9	16244	February 25, 2020

How to Ensure JWT Access Tokens Are Not Stolen in an Angular SPA + NestJS Setup?

Related topics