Obtain valid ID tokens for server based Password Grant flow


We are using Auth0 with a custom login screen. We authorize users through Resource Owner Password Flow using the Auth0 SDK in the server.

We do not use Auth0 Javascript SDK in the client because we are migrating users to Auth0 from a different authentication provider. Hence, We are managing the migration and authentication flows in the server.

So our workflow is as below:

  1. User logins through a custom login page using email and password
  2. the client calls our backend API to authenticate using the passwordGrant method.
  3. We check if it is a valid user and exists in our custom user database.
  4. If he does, the client receives a custom JWT token that we store in the client cookie for a week. This allows to us prevent users from login in again when they return back to the site or refresh the page.

This workflow works fine to some extent. However, we need to have the ID token in the client. We need to send this ID token to AWS Cognito Identity Pool to obtain temporary AWS credentials.

We can only get a valid ID token when we log in or use a refresh token to generate a new one. so my question is that since storing ID tokens or refresh tokens in the client is recommended, how do I keep these tokens safe?

I looked into storing the tokens in the web worker but the tokens will be gone when the user refresh the page or close the tab. How can I get the valid ID token in the client without making users log in again whenever they return back to the site?

Out technology stack is as below:

Next JS + GraphQL API (front end)
Nest JS + GraphQL Server (backend)