Sync auth state between multiple applications (SPA & Chrome Extension)

I would like to echo the sentiment from @minibar , localstorage can cause some security concerns.

With that said, the new refresh token rotation flow allows for the storage of rotating refresh tokens in localstorage. You can set the storage location in the spa sdk with the cacheLocation options, I am assuming that is what you did here @jannik. If you are conforming to those guidelines you should be good to go.