Reputation: 17
Token based authentication in spa (React)
As I realized refresh token not supported in spa (react) . Because it can not protect it .
So series of questions came up to me :
1 - Can we use long time access token in spa ? Is it secure?
2 - Is alternative solution for refresh token?
3 - Should we use the 3rd party identity server such as identityserver 4 or we can implement token generation Ourselves). What is best practice?
Upvotes: 1
Views: 903
Answers (1)
Reputation: 4504
A bit late, but still...
You are right in terms of that refresh token should not be returned by Implicit Grant which is used to authenticate users in SPA applications. And yes, the limitation is due to a browser is unable to keep it private.
1 - Can we use long time access token in spa ? Is it secure?
We can, but whether it will be secure would depend on your application's security policy. To keep it short, here is an example of how you can consider Access Token Lifetime to be specified for various security requirements.
2 - Is alternative solution for refresh token?
Yes, it is called Silent Authentication and briefly it looks like this:
- a client (SPA app) obtains an Access Token and expires_in parameter
- Identity Server provides an auth session (cookie) so the app can request a new token without providing credentials since it's already authenticated at Identity Server
- in case of session's sliding expiration a client pings Identity Server to keep the session alive as long as needed
- once the Acces Token becomes expired and auth session is alive (a check might be needed), a client requests for another Access Token (this is usually done in a
setTimeout), but in this case providing a parameter to tell an Identity Server that consent screen should be dropped (usually it isprompt=none)
Resources:
Azure AD Silent authentication
3 - Should we use the 3rd party identity server such as identityserver 4 or we can implement token generation Ourselves). What is best practice?
That would depend on the size of your application and whether you need just a token generation or something more (like Federated authentication out-of-the-box, various grant types, etc.). For big enterprises (if there's no need to reinvent the wheel) it is always the best practice to use a production-ready 3rd party library (Identity Server 4 or OpenIddict) unless you have a small application (MVP, prototype, etc.).
Identity Server 4 needs some effort to configure it the right way and may simply be excessive. OpenIddict is a bit easier alternative.
Custom token generation is something that we used to do before Identity Server emerged. Today it is only a matter of having a quick solution for your custom authentication needs.
Worth to mention this project JWTSimpleServer for simple JWT authentication.
Upvotes: 2
Related Questions
- Bearer Token authentication and JWT
- Authentication token in React.js
- How do authentication tokens and authorization work in reactjs?
- Secure JWT token handling in React
- How to use tokens in frontend for authentication
- How to use token-based authentication with axios and react
- JWT with SPA without a server
- Authentication for single-page apps
- Handling JWT authentication in React app
- How to handle token authentication in reactjs?