Secure cached token idea

dane.l · August 13, 2021, 6:54am

Looking at auth0-spa-js, but could potentially use server-side or anything else.

I have an SPA, connecting to a custom backend.

I’d like to persist the access token between requests, but don’t necessarily need access to it from javascript. In fact I’d prefer JS doesn’t have acesss to it.

Looking at the security aspects of localstorage, and my rough idea is to do something like the following.

Set up CSP to prevent any js not from my domain
Add a cache provider (custom cache option in auth0-js-spa) that makes a call to the API with one part of the token. The server sets a http-only cookie with that part of the token. The other part of the token is stored in localstorage. The get part would only be able to retrieve part of the token.
When accessing the backend, the client sends the localstorage part of the token in a header, and the http-only cookie part via cookie (of course).
The server joins the two parts of the token.

My thinking is:

If only part of the token is in localstorage, it mitigates the risk of anyone retrieving the token via XSS.
If only part of the token is in cookie, it partially mitigates the risk of CSRF session hijacking, and mitigates the risk of retrieving the token via HTTP TRACE.

My questions are:

Does this seem like a good idea?
Does this sound like it could be done with auth0-spa-js? Would it prevent token refresh?
Would I be better doing some server-side integration with auth0?

konrad.sopala · November 24, 2021, 11:32am

Previous message deleted due to SPAM reasons.

lasellardath · June 27, 2022, 3:55pm

Here are some basic considerations to keep in mind when using tokens:

Keep it secret. Keep it safe: The signing key should be treated like any other credential and revealed only to services that need it.

Do not add sensitive data to the payload: Tokens are signed to protect against manipulation and are easily decoded. Add the bare minimum number of claims to the payload for best performance and security.

Give tokens an expiration: Technically, once a token is signed, it is valid forever—unless the signing key is changed or expiration explicitly set. This could pose potential issues so have a strategy for expiring and/or revoking tokens.

Embrace HTTPS: Do not send tokens over non-HTTPS connections as those requests can be intercepted and tokens compromised.

Topic		Replies	Views
Is auth0-spa-js storing tokens in localStorage vulnerable to XSS? Help auth0-spa-js	5	4652	February 11, 2022
auth0.getTokenSilently vs storing access token in localstorage Help auth0-spa-js , sdks-quickstarts	0	1492	June 22, 2023
How does auth0-spa-js store tokens Help refresh-tokens	8	16400	September 27, 2019
Securing access tokens in SPA + API Help spa , rest-api	4	5501	August 2, 2019
Storing Auth0 tokens in session storage instead of local storage Help id_token , access-token , auth0-spa-js	4	15664	May 24, 2021

Secure cached token idea

Related topics