Say I’ve three parts in a system:
- An id service, hosted at
- A single web page utility, served from
- An API, protected by requiring a bearer token signed by
Within the single web page utility, would it not be thought-about safe to maintain an entry token in reminiscence, and a rotating refresh token (set by
id.mydomain.com, marked with all of the anticipated safety attributes in addition to SameSite=strict) in a cookie? The refresh token would rotated equally to this auth0 article right here: https://auth0.com/docs/tokens/ideas/refresh-token-rotation
My considering for the move could be as follows:
- Consumer visits
- The SPA sends a request to the
id.mydomain.comreturns 401 as a result of there isn’t a refresh token cookie
- SPA redirects person to
- Consumer authenticates
id.mydomain.comunits a refresh token cookie (with HttpOnly, Safe, SameSite=Strict) legitimate for
- Consumer is redirected again to
app.mydomain.comsends a request to the
id.mydomain.comreceives the cookie, as a result of it’s on the identical total area.
id.mydomain.comunits a brand new refresh token cookie, invalidates the outdated one, and returns a really short-lived entry token
app.mydomain.comcan then retailer that entry token in reminiscence and use it to name the API at
- entry token expires, so the SPA sends one other request to
id.mydomain.com/tokento refresh the tokens and the cycle continues.
I can not see a method this is able to be significantly weak – the refresh token would not be accessible to JS because of its protected attributes, and even whether it is retrieved by some means the rotation ought to guarantee it isn’t used greater than as soon as. The SameSite=true attributes must also defend in opposition to CSRF. I would make the refresh token additionally a signed JWT so the id service can validate it and ensure it’s issued by the right authority as properly.
If that is insecure, I’ve undoubtedly misunderstood one thing someplace down the road – so please may you clarify why?