We have a fairly typical SPA + rest API application where we use Auth0 for authentication. Originally we had been storing the accessToken in Local Storage. We have come to learn of the security concerns with doing that and are working to resolve. However, it’s not clear exactly what the solution would be.
I am looking through [Solution Overview (SPAs + API)](http://SPA + API solution overview). It generally makes sense. It’s basically what we are doing already. However, the question remains, where should we store our access token. Certainly not local storage. We could use a cookie, but AFAIK, it wouldn’t be an HTTPOnly cookie, because javascript needs to create the cookie.
So, then is a normal cookie any more secure than local storage?
I’m sorry, but I’m still not following. I have read through the “Where to store Tokens” article, an it says, "If your single-page app has a backend server at all, then tokens should be handled server-side using the option 1, 2, or 3. "
When I look at the articles for option 1, 2 or 3, they have steps like this:
Your Auth0 Authorization Server responds with an ID Token and Access Token (and optionally, a Refresh Token).
Your application can use the Access Token to call an API to access information about the user.
Which seems to gloss over WHERE you store the access token.
To be honest, I’m not quite sure what this particular paragraph around an “SPA with a backend” is referring to, I will clarify this internally.
Which seems to gloss over WHERE you store the access token.
Yes, I noted that as well, especially for the Regular Web App and the Native/Mobile App scenarios. I’ve logged this internally for improvement today.
Anyway, from what I understand, you have a SPA and an API you’re protecting which is separate from each other, so the described scenario for SPA without a backend would apply. Therefore, the Silent Authentication approach should work well for you.
How do you get the access token from Auth0 in the first place? Which SDK are you using? It it auth0-js or auth0-spa-sdk (the new SDK)?
(So, I guess you’re either using the Implicit Grant or the Authorization Code Grant with PKCE).