Reputation: 137
Handling Multitab support with JWT Long lived Refresh token in secured cookie and Short lived Access token in memory
I currently use Spring Oauth 2 framework for authentication and authorization. When i google on what is the best way to store the access token and refresh token, i was recommended to store the access token in memory such as a variable and store the refresh token in a secured HttpOnly cookie. This was working fine until i faced a new issue.
I opened a new tab next to the tab where i was already logged in, now the problem is instead of directly going into the application, the login page was presented. I now again enter my username and password and login into the second tab without any issues.
But when i do logout from the 2nd tab, both first and second tab gets logged out since the refresh token cookie is shared but the access token which is not shared between tabs since its stored in a variable.
I was expecting following results
- When i do a login into my second tab, i expect the session to be separate. The reason i'm setting the refresh token in cookies instead of storing it in a variable like access token because there are multiple applications hosted in the same domain to implement SSO concept. When an another application is clicked instead of routing it to a login page, i just get a new access token for the application using the refresh token that is stored in the http only cookie
- I was told the only solution is to store the access token in localstorage or normal cookies so that i can also share the access token between tabs but it seems to be not a secure way as the token being can be stolen using XSS attack.
Hoping for a optimal solution. BTW when the user logsout, the invalidate both the access and refresh token from my JDBC token store
Upvotes: 1
Views: 1525
Answers (1)
Reputation: 29263
Sounds like you need to decide what type of Web UI you want. Trying to mix and match these concepts does not work well, as you are discovering:
- Either your Web UI is a cookieless Single Page Application
- Or your Web UI routes all data requests via a web back end using an Auth cookie
TOKEN SCOPE
Generally tokens are private per browser tab and auth cookies are not, as you realise. Using tokens in the Web UI will give you better control of usability aspects.
SPA COOKIELESS MODEL
This gives you independent sessions per browser tab, but requires you to use a library such as oidc client to implement logins client side. You can then store an access token in memory. Token refresh is done via silent iframe redirects and not via refresh tokens.
SPA COOKIELESS COMPONENTS
In this model:
- Spring Boot's role would be to host REST APIs
- The Web UI would not use Java at all
- The Web Back End would be just static content
For a bit more background, and how to implement login / token management in Javascript, see these posts of mine:
NO WEB UI OPTION IS PERFECT
They all have annoyances and sometimes it depends what your stakeholders most care about.
Upvotes: 1
Related Questions
- Why not just use a long TTL reference token in replace of access and refresh JWT tokens?
- OAuth 2.0 Refresh Token multiple Tabs
- Should JWT refresh token and access token travel together?
- JWT / Session Cookie Authentication Hybrid
- JWT authentication & refresh token implementation
- Authorization Code Flow and multiple Tabs
- Multiple Access token with one refresh token
- Using JWT along with refresh tokens in Spring OAuth2
- JHipster JWT authentication across browser tabs
- Implementing JWT storage to allow browser refresh but clearing on tab/browser close