0

I am using google sign-in to log into my application. Where should I store the access token and refresh token? I have read in a few posts that it is not safe to store these tokens at front-end. This is the flow which I have read in most of the posts :

  1. User clicks sign in with Google button and front end does all the authorization flow.

  2. Front end sends the token to backend apis and backend apis validate it and does further user-related processing.

Now, My question is that if backend apis require token in every request, then front end must store it somewhere (which is not safe). And if I store tokens at backend, then how does front end communicate with back end in the subsequent requests?

XYZ
  • 709
  • 2
  • 9
  • 12
  • Possible duplicate of [What is the best way to manage a user's session in React?](https://stackoverflow.com/questions/42420531/what-is-the-best-way-to-manage-a-users-session-in-react) – K.Nicholas Jun 13 '19 at 18:30
  • This does not answer my question. – XYZ Jun 14 '19 at 05:05

1 Answers1

0

You'd prefer to keep the server stateless meaning that if the server would unexpectedly crash every user does not have to re-authenticate. Also as you mention you need to have the token stored in the frontend for the subsequent requests to be validated.

Usually you store it in a cookie or sometimes the localStorage in the browser. As you mention the storage of the tokens could potentially be unsafe, however seeing as storing the token in a cookie is more or less only vulnerable to CSRF I would consider it a good option.

Here is an article I found if you would like to read some more: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage

JustinCredible
  • 165
  • 3
  • 14