Hi @steve.hobbs reading through this thread and I think I have a good grasp on the implementation. So as I understand, storing tokens or other sensitive data in localStorage is generally a bad practice as it makes your application vulnerable to XSS. I have a few questions I was hoping you could help with that are related to this post but if need be, I can create a separate thread.
- With the Rotating Refresh token approach, it’s okay to store the refresh and access tokens in local storage as the Auth0 team has built in the reuse detection feature, correct?
- When the reuse detection is alarmed and all the refresh tokens are invalidated, will this just essentially render the session deactive for the legitimate client and thus require them to login?
- I have a backend Node/Express API which my React SPA uses to get non-user related data. When user logs in on client and get the refresh, access, and id token, I’m thinking that I store the refresh token in local storage on client while relying on refresh token rotation to render that token useless if need be and providing the user with a secure session through page refreshes. When I need to make an auth call to get user-related data, should I make the call that gets a new access and refresh token directly from client-side or should I make a call to my Express API first which then makes the call to Auth0 to get new tokens? I would think the former would work but wasn’t sure if there were vulnerabilities I could encounter doing it that way.
Apologies for the block of questions. Any help will be greatly appreciated!