SPA: custom domain + silent auth vs refresh tokens + rotation

Hi all,

we have auth0 tenants with custom domains (auth.product.com) and a spa (web.product.com) which talks to our spring api.

Is there a general recommendation what mechanism we should use? Cookies + Silent-Auth vs. refresh-tokens in local storage + token rotation?

Best

Chris

Hi @chris_b

Thank you for reaching out to us!

Both architectures should prove sustainable, but taking an overall consideration of security, user experience and ease of implementation, I would recommend choosing the refresh token in local storage + rotation route. This would combine the ease of utilizing localstorage with the stateless nature of JWTs ( JSON Web Tokens ) and with a robust implementation would allow your application to handle access token/refresh token exchanges in a seamless manner, without compromising user experience.

Allow me to share some documentations that should assist with the implementation:

• Token Storage;
• Configure Refresh Token Rotation;
• How to Use Refresh Tokens in a SPA;
• How to get refresh tokens to work in Single Page Application (SPA) API.

An additional point for added security that we recommend for SPAs is the use of Authorization Code Flow with Proof Key for Code Exchange (PKCE), which offers the highest grade in securing applications and also runs with the use of refresh tokens, in case this suits your environment.

Hope this helped, do not hesitate to reach out to us for any other issues or requests!

Have a great one,
Gerald

Hey @gerald.czifra ,

thanks for taking the time to write such an awesome response.

We already implemented the refresh token approach using the spa sdk for angular with token rotation configured in our tenants. I just wanted to verify, after adding custom domains, if we should switch from a security perspective - less work I guess :).

Thanks for the hint with the PKCE. As far as I understand the documentation the spa sdk should already to that?

Thanks!

Chris

Hi @chris_b

That’s awesome, glad to see that we aligned on this wavelength!

Sharing the doc here in case others find it useful : Auth0 Single Page App SDK Code Grant Flow with PKCE, but if you have followed this SDK, then yes, PKCE will be built in to offer the best security available for SPAs.

Good luck with your implementation!
Gerald