Hey all, I’m using the implicit grant login flow and I am very confused.
The https://auth0.com/docs/flows/concepts/single-page-login-flow does not have any information on what to do with access tokens if the page refreshes.
Obviously if you refresh, making the user go to login again is a terrible user experience.
And then https://auth0.com/docs/security/store-tokens says not to store access tokens in local storage. So if not there, where do I store it?
It recommends storing it on my API, but that also does not make any sense. I could create a Bearer Token or HAWK64 and send that back to the client. But then I run into the same thing, if I refresh the page, that token is gone, and if I store it, we’re back to square one, a cross domain scripting attack could take the token and masquerade as the user.