I agree with your research, Options [1] & [2] are *not* recommended. We use AWS Amplify (https://aws.amazon.com/amplify/) to handle that scenario, our tech stack comprises React front-end, AWS Amplify integrated with our company's SSO provider, and an Rails API backend.
Using a third party like AWS Amplify will not handle all the security concerns, you will have to pay special attention to Token Validity. JWT claims offer a good amount of control if set up properly ( https://tools.ietf.org/html/rfc7519). I am not sure if this was helpful. Happy to help wherever I can. Thanks, *Anuj Bhandar* Intuit Inc. On Tue, Jul 7, 2020 at 3:52 PM Rastogi, Shivam <[email protected]> wrote: > Hi Everyone, > > > Just wanted to check if anyone has any experience in securing Single Page > Webapps using JWT tokens. > > > *Challenge* > > The challenge we are facing is how to store the JWT token at the > client-side in the browser which will be used to securely call the back-end > APIs. > > > *Background* > > We are working on the custos UI portal and one of the design options that > we are considering is to directly call the custos backend APIs from > client-side javascript. The basic flow would look like: > > > 1. User logins using username and password from the login screen using > login API > > 2. JWT token and basic user-information is returned to the client in > response. > > 3. In subsequent API requests, user will send this authentication token. > But,how to store this token at client-side? > > > *Options* > > 1. *Store it in localStorage* - This is not considered to be secure > as localstorage is vulnerable to XSS attacks- > https://dev.to/rdegges/please-stop-using-local-storage-1i04 - > 2. *Store the JWT token in httpOnly cookie -* Browser adds the cookie > to all the API calls - vulnerable to CSRF attacks and need to be protected > using CSRF token or in some other manner. Do you have any experience > implementing these securely? > 3. *Have an authentication middleware(API gateway) -* All user > requests are routed to API-gateway which authenticates the users using > sessionId and then re-routes the requests to the API by including the users > JWT token or session information. More of a traditional way of doing > things, but some big companies use this approach like Airbnb as per this > article - > > https://medium.com/airbnb-engineering/building-services-at-airbnb-part-2-142be1c5d506 > > > > It would be really helpful if you can provide any inputs or share your > experience with SPAs. > > > Thanks and regards, > > Shivam Rastogi >
