After reading some articles, I realize that using localStorage and sessionStorage is a bad idea for storing JWT tokens, and cookies with httpOnly should be used instead.
As I read more and learn some about indexedDB today, I wonder if indexedDB is a secure option for storing JWT tokens as well?
We recommend refresh token rotation, or silent authentication (based on a cookie session), to get new access tokens in SPAs without leaving them vulnerable to XSS attacks in localstorage.
If you haven’t looking into using our SPA SDK, I highly recommend it.