Throughout the Auth0 documentation (and blog posts) when refresh tokens are mentioned it says that they are “subject to strict storage requirements”. What, exactly, does this mean? What qualifies as strict? localStorage on a computer that requires a user log in? Secure, HTTPS-only cookies? Finger-print encrypted storage on a mobile device?
It’s hard to precisely state the requirements because they sometimes also depend on the security requirements of the system itself. In general, do not store refresh tokens in browser-based applications, in particular, Web Storage (
localStorage,sessionStorage`) is not suitable given it significantly increases the chance of a leak. For example, you’ll always be one XSS away from a leak. In relation to HTTP-only cookie, by design, they are only readable to the server-side so just avoid the risk and store the refresh token directly on the server-side.
For web applications, the refresh tokens should be stored server-side; for mobile applications they should be stored in the most secure storage available for the OS in question. In particular, you must ensure that other applications (at least for non-rooted devices) cannot read the refresh tokens issued to Application X.