Secure cached token idea

Looking at auth0-spa-js, but could potentially use server-side or anything else.

I have an SPA, connecting to a custom backend.

I’d like to persist the access token between requests, but don’t necessarily need access to it from javascript. In fact I’d prefer JS doesn’t have acesss to it.

Looking at the security aspects of localstorage, and my rough idea is to do something like the following.

  1. Set up CSP to prevent any js not from my domain
  2. Add a cache provider (custom cache option in auth0-js-spa) that makes a call to the API with one part of the token. The server sets a http-only cookie with that part of the token. The other part of the token is stored in localstorage. The get part would only be able to retrieve part of the token.
  3. When accessing the backend, the client sends the localstorage part of the token in a header, and the http-only cookie part via cookie (of course).
  4. The server joins the two parts of the token.

My thinking is:

If only part of the token is in localstorage, it mitigates the risk of anyone retrieving the token via XSS.
If only part of the token is in cookie, it partially mitigates the risk of CSRF session hijacking, and mitigates the risk of retrieving the token via HTTP TRACE.

My questions are:

  1. Does this seem like a good idea?
  2. Does this sound like it could be done with auth0-spa-js? Would it prevent token refresh?
  3. Would I be better doing some server-side integration with auth0?

Previous message deleted due to SPAM reasons.

Here are some basic considerations to keep in mind when using tokens:

Keep it secret. Keep it safe: The signing key should be treated like any other credential and revealed only to services that need it.

Do not add sensitive data to the payload: Tokens are signed to protect against manipulation and are easily decoded. Add the bare minimum number of claims to the payload for best performance and security.

Give tokens an expiration: Technically, once a token is signed, it is valid forever—unless the signing key is changed or expiration explicitly set. This could pose potential issues so have a strategy for expiring and/or revoking tokens.

Embrace HTTPS: Do not send tokens over non-HTTPS connections as those requests can be intercepted and tokens compromised.