0

One of the use cases of doing Implicit Grants for OAuth 2 is for web apps that use javascript. My question is how do you store the access token?

For web apps with server side scripting I normally store the access token in a database or in a cookie that's not JS accessible. For a mobile app which also uses implicit grant, you can store the token in the device. But for a JS web app, the only way I could think of is to store it in memory in a private variable. The difference with having server side scripting is with this is that once the page is closed, you're technically logged out. But how is this normally done?

Improve this question

1 Answer 1

Reset to default
1

You can store in the HTML5 Web Storage

$window.sessionStorage.token = 'serverToken';

The data persisted there lives until the browser tab is closed.

You also can store in a cookie, you can read more about that here: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage/

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

due to the XSS risk of using HTML 5 Web Storage I guess having a bit of server side scripting is still safest. thanks
yes, its not totally safe, if your app needs a strong security, I don't recommend you send the token for each request, the better way is make it statefull and use a CSRF protection

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.