SPA, PWA offline mode, localStorage + rotating tokens?

This question is a follow-up on VUE SPA offline, how to remain authenticated?.

The documentation mentions two things in relation to offline authentication.

  1. Using localStorage opens you up to XSS attacks.
    https://auth0.com/docs/libraries/auth0-spa-js#change-storage-options

Ok, I understand this on principle. However, it seems that there are no alternatives when remaining authenticated and offline are required? Also, to make an educated decision on using localStorage, how real/bad is this danger??

  1. Rotating tokens have some relation to offline authentication.
    https://auth0.com/docs/libraries/auth0-spa-js#use-rotating-refresh-tokens

Following the paragraph on localStorage is the one on rotating refresh tokens, it mentions:

“Once configured, the SDK will request the offline_access scope during the authorization step.”

I’ve been re-reading the docs on it a few times, but have difficulty to make it click as to what this really does/fixes, and if this is intended as a fix (or even a requirement) for localStorage+offline mode?

While tinkering on my site, I first changed to rotating tokens, and then added localStorage; this combo made it work. I now wonder if I have to move back to non-rotating tokens again?

Before rotating refresh tokens were implemented we would continue a session (issue new access tokens) by verifying a cookie. This is still an option, but has become less reliable because of ITP implemented in some browsers.

The tokens rotate as an added security feature. All of this is outlined in the docs you have linked. There is plenty of debate out there about how vulnerable modern frameworks are to XSS and how many are automatically protecting against it, but that is a larger question.

The offline_access scope is a specific request for an edit: access token refresh token. If you want to read about it specifically, you can see the spec here:

https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess

In regards to #1: Can someone confirm that in order to remain authenticated offline, you need to employ a form of local storage?

It seems that there are no alternatives when remaining authenticated and offline are required?

Can I summarise this in an answer as: Yes. Rotating refresh tokens improve security when using localStorage and are the preferred choice when remaining authenticated offline is used?

In addition, for other people stumbling upon this topic who are entirely new to authentication/authorization; I found this useful to start understanding the aformentioned “scopes”:

https://auth0.com/docs/protocols/oauth2

1 Like

I think defining what you mean by remain authenticated offline could be helpful here. In the past, SPAs have used silent auth (with cookies and no localstorage) to get a new access token without user interaction.

I think that is fair. If cookies are being blocked by ITP then it is the only option we recommend.

Thanks for providing this insight.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.