Storage of tokens
OAuth adds additional attack vectors without providing any additional value and should be avoided in favor of a traditional cookie-based approach.
When the SPA calls multiple APIs that reside in a different domain, access, and optionally, refresh tokens are needed. A protocol needs to be established between the backend and the SPA to allow the secure transfer of the token from the backend to the SPA. If you have a SPA with no corresponding backend server, your SPA should request new tokens on login and store them in memory without any persistence.
Browser in-memory scenarios Auth0 recommends storing tokens in browser memory as the most secure option. Using Web Workers to handle the transmission and storage of tokens is the best way to protect the tokens, as Web Workers run in a separate global scope than the rest of the application.
Browser local storage scenarios Using browser local storage can be a viable alternative to mechanisms that require retrieving the access token from an iframe and to cookie-based authentication across domains when these are not possible due to browser restrictions for example, ITP2.
To reduce security risks if your SPA is using implicit we recommend using authorization code flow with PKCE instead or hybrid flows, you can reduce the absolute token expiration time.
Hi, I'm Philippe, and I help developers protect companies through better web security. As the founder of Pragmatic Web Security, I travel the world to teach practitioners the ins and outs of building secure software. Want to learn more about OAuth 2.
Performing Subresource Integrity SRI checking in third-party scripts where possible to verify that the resources fetched are delivered without unexpected manipulation is also more secure. Keep reading.