Hi. How should I persist tokens in an SPA? As mentioned here, it’s not a good idea to persist the tokens int he local storage, wich makes sense to me. The article is saying
If your single-page app has a backend server at all, then tokens should be handled server-side using the Authorization Code Flow, Authorization Code Flow with Proof Key for Code Exchange (PKCE), or Hybrid Flow.. I don’t understand how exactly I should leverage my backend to handle the tokens. I can think of ideas like keeping the access token persisted in the backend and referencing to the browser that has access to the tokens with a session. But this sounds rather odd (I would also need to add CSRF attack prevention when using sessions). What is considered a good implementation to persist the tokens?
P.s. I checked the links in the article but I don’t understand how exactly they can help me to solve this problem.