Hello. Now I look at various libraries for authentication via tokens (oauth2 / jwt-auth, etc.), I don’t understand one thing: as far as I know, all data related to security is best stored in httpOnly cookies. The above packages in the response give access token and refresh token . Through js paste httpOnly cookie fails. How to store the access token on the client side?

An application is made without a server part, that is, completely stateless (stateless). Available only API from backend and application on Vue.js. What to do, where to store tokens?

  • In localStorage. - Pavel Mayorov
  • @PavelMayorov and what about security? Is this the best solution at the moment? It turns out that any attacker who gets access to localStorage gets access to the user's personal account? - Alexxosipov 1:54 pm
  • You must first get it. - Pavel Mayorov

1 answer 1

Here you write: "the application is done without the server side . " This automatically means that no httpOnly cookies are available to you, regardless of whether you use tokens. Tokens should be stored where it happens - in localStorage or similar places.

Now about security. Security of tokens is implemented through limiting the scope and lifetime. These restrictions work together: tokens with a wide range of actions are usually short-lived, and with a narrow range they can live for a long time.

For your part, you need to request the correct scope (scope) when you receive the token. For example, it is not the best idea to request some kind of scopes like users.profile: write and save such a token, but im: read can be saved for a long time (for example, I took the scope of the token from the Slack API )

If in the application you need to change the account’s security settings via the API, then it is better to request the token for this operation separately. And to forget immediately after the operation without saving it anywhere.

  • Pavel, thank you very much! Now I understand exactly how this is done :) - Alexxosipov