This question is a follow-up on VUE SPA offline, how to remain authenticated?.
The documentation mentions two things in relation to offline authentication.
- Using localStorage opens you up to XSS attacks.
Ok, I understand this on principle. However, it seems that there are no alternatives when remaining authenticated and offline are required? Also, to make an educated decision on using localStorage, how real/bad is this danger??
- Rotating tokens have some relation to offline authentication.
Following the paragraph on localStorage is the one on rotating refresh tokens, it mentions:
“Once configured, the SDK will request the
offline_accessscope during the authorization step.”
I’ve been re-reading the docs on it a few times, but have difficulty to make it click as to what this really does/fixes, and if this is intended as a fix (or even a requirement) for localStorage+offline mode?
While tinkering on my site, I first changed to rotating tokens, and then added localStorage; this combo made it work. I now wonder if I have to move back to non-rotating tokens again?