6

I'm storing both the access token and refresh token in local storage. Is this correct?

Detail: I have an angular 2 application. The user loads my application, and then authenticates (username, password) with my api. They are provided with an access token and refresh token. The client uses the access token until it expires (15 minutes) and then, after hitting a 401 error, uses the refresh token (lifetime of 6 months) to update the access token.

My setup is similar to this: http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/

I've seen similar questions and advice to store refresh tokens on the server, but I'm not really sure how I'd do that in my case (as far as I can see the client kind of needs to keep that refresh token locally): where to store - access token and refresh token in OAuth 2.0

Community
  • 1
  • 1
Nathan Cooper
  • 6,262
  • 4
  • 36
  • 75

1 Answers1

0

It's a good idea to protect the refresh and access tokens from malicious access. This can come from XSS script, browser plugins, etc.

With a traditional web application and browser cookies, there is some protection using the HttpOnly and Secure flags. The HttpOnly flag tells the browser not to allow JS access (only send the cookie to the host with requests). The Secure flag tells the browser to only send the cookie if the transport is secure (TLS).

The refresh token should be treated like a password or key, since it can be used to request a new access token. A lifespan of 6 months is a large window of exposure. I would use a shorter timespan and make the expiration sliding. For example, days or weeks, and refresh both tokens every so often.

Unfortunately, I do not know how to protect local storage yet. I wish I could be more help in this area. :-(

Mark Good
  • 4,271
  • 2
  • 31
  • 43