Most security professionals agree that storing access tokens and refresh tokens in browser storage (local storage or session storage) is a security risk because it makes your application vulnerable to XSS attacks.
Therefore, I am curious about the recommended way to use this library while persisting user sessions without being vulnerable to XSS. I
can envision this flow, but I am unsure how it would integrate with react-oidc-context :
- User initiates the sign-in process.
- The frontend redirects to the Identity Provider (IDP).
- The user signs in.
- The IDP redirects the user back to the redirect URI with an authorization_code.
- The frontend sends the authorization_code to the backend API.
- The backend exchanges the code for access_token, id_token, and refresh_token with the IDP.
- The backend sets the refresh_token in a HttpOnly + Secure cookie and returns the access/id tokens to the frontend, if necessary.
Is there a way to implement this type of flow with this library? Or is there another way ?
Thank you in advance for your help.
Most security professionals agree that storing access tokens and refresh tokens in browser storage (local storage or session storage) is a security risk because it makes your application vulnerable to XSS attacks.
Therefore, I am curious about the recommended way to use this library while persisting user sessions without being vulnerable to XSS. I
can envision this flow, but I am unsure how it would integrate with react-oidc-context :
Is there a way to implement this type of flow with this library? Or is there another way ?
Thank you in advance for your help.