Hi,
We have a SPA, where we only want let the user launch searches if they are authenticated (google, facebook or passwordless magic link). Once the user logged in, we really want him to stay logged in for even 365 days, if possible. The logged in users have access to his search history and saved searches.
We are hesitating between two solutions:
-
Authenticate the user using auth0-spa-js and store the Id Token in the browsers local storage. To the backend API calls (launching a search, fetching search history) we pass the Id Token in a header, and in the server side of the app, we validate that Id Token and give access to the user’s data (fetch and modify search history).
-
Authenticate the user using auth0-spa-js, store the Id Token in the browser’s local storage for only client side use and we use silent rotating Refresh Tokens to fetch Access Tokens. To the backend API calls (launching a search, fetching search history) we pass the latest Access Token in a header, and in the server side of the app, we validate that Access Token and give access to the user’s data (fetch and modify search history).
Which solution can keep the user logged in longer without reauthentication? Could you briefly present the advantages/disadvantages of the two solutions? Do you see a case when the first solution is applicable?
Thanks for your opinion!