This question can be seen as a follow-up to: how refresh token should be saved .
I have a native Windows app that uses keycloak for authentication with open id connect. To let the user log in, the app shows a web view that is directed to the login page generated by keycloak. After the user has successfully logged in, keycloak sends a redirect that is intercepted by the app. This way the app gets the authorization code that it then uses to retrieve access and refresh tokens from keycloak. So far, this follows the authorization code flow and is (I think) all according to best practices for native apps.
However, when the user checks the "Remember me" option in the login page, some more things happen. Some persistent cookies are created: KEYCLOAK_SESSION, KEYCLOAK_IDENTITY, and KEYCLOAK_REMEMBER_ME. When the user opens the app next time, those cookies are sent to keycloak, and if the session is not yet expired on the server side, the login page is skipped and the user is directly authenticated.
Are those cookies equivalent to user credentials? Are they a security problem?
Persistent cookies are stored on the user's harddisk. I am not sure whether they are always stored encrypted.
What is the difference, security-wise, to storing a refresh token on the harddisk?
