5

We are building an application with a React/Redux frontend and a NodeJS/Express Backend. I, not being a security expert, opted to go with Auth0 to handle Authentication.

Auth0 returns an ID Token and an Access Token when a user logs in, this access token is used to authenticate and access our backend API.

We've seen this Access token stored before in Local Storage but Auth0 then contradicts that here. Furthermore, in this answer it seems that some recommend storing in Local Storage, as does this one.

This has me terribly confused. How can we store and persist the token without storing it in memory? We could store it in Redux only but it'll clear on refresh which isn't a solution.

Auth0's Diagram for Auth Flow

Here they show that the User Signs in and the Access Token is returned and that later it is to be sent along with API Requests, which I understand, but where is it to be stored in the meantime?

How are we supposed to store the access tokens so our application can access our API? Or are we not supposed to store it at all?

Matt Weber
  • 2,808
  • 2
  • 14
  • 30
  • 2
    You can store the access token in cookie. The cookie won't be accessible to other web applications. – kapil May 08 '19 at 03:46
  • So is storing the token in a Cookie the absolute answer? or are there other routes I should be looking at? It seems that Cookies are disputed chocie as well https://stackoverflow.com/questions/41076736/is-storing-an-oauth-token-in-cookies-bad-practise – Matt Weber May 08 '19 at 12:39
  • 1
    @MattWeber You don't have many options. The question you link to has a link to using cookies. Bottom line is that it depends on how secure you need it to be--keeping in mind that since you already have an API a page refresh isn't really an issue, because you can re-send an identity and let the server decide if they're still authenticated, if you don't want to store it in a cookie. – Dave Newton May 08 '19 at 12:46
  • 1
    Not storing it in local storage is a recommendation. Not the absolute truth. I usually store the token in local storage. Storing in cookie is a better choice. – kapil May 08 '19 at 12:48
  • It appears Auth0 recommends storing the token in memory (State) and then using Silent Authentication? https://auth0.com/docs/api-auth/tutorials/silent-authentication – Matt Weber May 08 '19 at 19:52

2 Answers2

0

We decided to store access tokens in a React Context Provider. Looks like Auth0 has updated their quickstart guide to do the same.

Matt Weber
  • 2,808
  • 2
  • 14
  • 30
-1

The best way to store AT/RT is by using a distibuted cache memory for your client backend servers. By this way, you make sure that all API calls must transite by your backend application. In your frontend, you pass only the ID_Token witch has to be used to identify your end users. User sends ID_Token --> Client (backend web app) checks the Id_Token and Get AT from cache memory --> Call the APIs with AT.

Kacem
  • 79
  • 7