Token from "getAccessTokenSilently" in frontend insecure?

manuel.poelzl1 · June 4, 2024, 8:02pm

Hi!

I have a question regarding the “correct” use of the “getAccessTokenSilently” function.

As I understand it, I get a token here and it is stored in memory and then read from it when it is needed. I am currently using my own Axios instance, which has an interceptor function and writes the token to the header. But theoretically this token could be intercepted by anyone in the frontend or not? I would therefore like to know what would be the best way to make the whole thing reasonably secure.

Sorry if this is the wrong subcategory!

Thanks in advance!

tyf · June 4, 2024, 10:17pm

Hey there @manuel.poelzl1!

Assuming the Axios instance and general coding practices are secure, storing tokens in memory and utilizing HTTPS along with other best practices provide a reasonable level of security.

manuel.poelzl1 · June 6, 2024, 4:33pm

Thank you very much for your reply @tyf!
But theoretically speaking, wouldn’t it be possible for someone to just add a breakpoint with the browser DevTools and then just execute the getAccessTokenSilently function?

This maybe Is a stupid question, but I just want to make sure.

tyf · June 6, 2024, 7:32pm

Happy to help!

I suppose they could, but it could only be invoked by an authenticated user within their own session.

manuel.poelzl1 · June 7, 2024, 8:29am

That makes sense!
Thank you very much for the explanation!

tyf · June 7, 2024, 2:46pm

No problem, happy to help!

system · June 21, 2024, 2:46pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.