1

Recently I was reading OIDC documentation for browser based aplications and I found that one of the recomendation is to use service worker (you can see it here). I'm quite fresh to service workers but I know that it is possible to intercept fetch, so it is possible to add access token to each external api request. The problem is how should I safely store token? Can I just cache it caling const cache = await caches.open("my-cahce"); and then just add token to the cache?

Mateusz
  • 11
  • 4
  • The very document you link tells you how to store the tokens: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#name-token-storage-in-the-browse – user229044 Jul 03 '23 at 00:31
  • @user229044 indeed there is a section about how to store tokens but it is not clear form me how to handle in service worker. Recomendation: "the Service Worker MUST NOT store tokens in any persistent storage API that is shared with the main window" still don't says how to store token. Do I understand correctly that using service worker is not a good idea for now because there isn't storage that is private in service worker context? – Mateusz Jul 03 '23 at 06:38
  • see this video about why you should not store tokens in the browser https://www.youtube.com/watch?v=lEnbi4KClVw – Tore Nestenius Jul 03 '23 at 07:55
  • @Mateusz You're meant to let the service worker do the authorization flow, so the token never touches your non-sevice worker code. Unless you need to access the token from JavaScript, use an HTTPOnly Secure cookie and be done with it. – user229044 Jul 03 '23 at 14:31

0 Answers0