Storage of OAuth access tokens in Javascript clients (e.g. Angular)

1.1k views Asked by At

I'm looking into using IdentityServer4 together with ASP.NET WebAPI, Angular and so on.

In most examples of OAuth 2 with Javascript clients I've seen the access tokens is stored in local storage or session storage. I have also read posts where they think that's a bad idea, for example these two: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage and http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/.

Is there any way to use cookies for the APIs instead, like the posts mention, with IdentityServer?

1

There are 1 answers

1
leastprivilege On

My personal opinion is that session/local storage (depends on your needs) is the right place.

The pre-requisite for that is that your JS code is secure. The only way to enforce that is a restrictive content security policy.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

IOW - CSP is mandatory for every JS application