2

I'm looking into using IdentityServer4 together with ASP.NET WebAPI, Angular and so on.

In most examples of OAuth 2 with Javascript clients I've seen the access tokens is stored in local storage or session storage. I have also read posts where they think that's a bad idea, for example these two: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage and http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/.

Is there any way to use cookies for the APIs instead, like the posts mention, with IdentityServer?

Jesse Kernaghan
  • 4,544
  • 2
  • 18
  • 25
martintro
  • 21
  • 2
  • Possible duplicate of [Where to save a JWT in a browser-based application and how to use it](http://stackoverflow.com/questions/26340275/where-to-save-a-jwt-in-a-browser-based-application-and-how-to-use-it) – cchamberlain Dec 21 '16 at 19:14

1 Answers1

4

My personal opinion is that session/local storage (depends on your needs) is the right place.

The pre-requisite for that is that your JS code is secure. The only way to enforce that is a restrictive content security policy.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

IOW - CSP is mandatory for every JS application

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • I share this opinion, Web Storage is the adequate choice for most scenarios. @martintro, no matter the choice there will be security related considerations, you may find this [pros and cons](http://stackoverflow.com/a/40376819/204699) type of answer, covering Web Storage and cookies, on a related question helpful. – João Angelo Dec 21 '16 at 11:23