I would like to recall my first statement, Local storage is *not* recommended. But Cookies offer some good security controls as token stores. ( https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage ).
Thanks, *Anuj Bhandar* Intuit Inc. On Tue, Jul 7, 2020 at 4:52 PM anuj bhandar <[email protected]> wrote: > I agree with your research, Options [1] & [2] are *not* recommended. > > We use AWS Amplify (https://aws.amazon.com/amplify/) to handle that > scenario, our tech stack comprises React front-end, AWS Amplify integrated > with our company's SSO provider, and an Rails API backend. > > Using a third party like AWS Amplify will not handle all the security > concerns, you will have to pay special attention to Token Validity. JWT > claims offer a good amount of control if set up properly ( > https://tools.ietf.org/html/rfc7519). > > I am not sure if this was helpful. Happy to help wherever I can. > > Thanks, > *Anuj Bhandar* > Intuit Inc. > > On Tue, Jul 7, 2020 at 3:52 PM Rastogi, Shivam <[email protected]> wrote: > >> Hi Everyone, >> >> >> Just wanted to check if anyone has any experience in securing Single Page >> Webapps using JWT tokens. >> >> >> *Challenge* >> >> The challenge we are facing is how to store the JWT token at the >> client-side in the browser which will be used to securely call the back-end >> APIs. >> >> >> *Background* >> >> We are working on the custos UI portal and one of the design options that >> we are considering is to directly call the custos backend APIs from >> client-side javascript. The basic flow would look like: >> >> >> 1. User logins using username and password from the login screen using >> login API >> >> 2. JWT token and basic user-information is returned to the client in >> response. >> >> 3. In subsequent API requests, user will send this authentication token. >> But,how to store this token at client-side? >> >> >> *Options* >> >> 1. *Store it in localStorage* - This is not considered to be secure >> as localstorage is vulnerable to XSS attacks- >> https://dev.to/rdegges/please-stop-using-local-storage-1i04 - >> 2. *Store the JWT token in httpOnly cookie -* Browser adds the cookie >> to all the API calls - vulnerable to CSRF attacks and need to be protected >> using CSRF token or in some other manner. Do you have any experience >> implementing these securely? >> 3. *Have an authentication middleware(API gateway) -* All user >> requests are routed to API-gateway which authenticates the users using >> sessionId and then re-routes the requests to the API by including the >> users >> JWT token or session information. More of a traditional way of doing >> things, but some big companies use this approach like Airbnb as per this >> article - >> >> https://medium.com/airbnb-engineering/building-services-at-airbnb-part-2-142be1c5d506 >> >> >> >> It would be really helpful if you can provide any inputs or share your >> experience with SPAs. >> >> >> Thanks and regards, >> >> Shivam Rastogi >> >
