Reputation: 478
I'm currently following this guide to building a auth service in Spring boot https://www.callicoder.com/spring-boot-security-oauth2-social-login-part-1/
I've modified it so when a user creates and account with a username and password it also returns a refresh_token.
However, when I do an Auth flow with lets say facebook or google, I see the access token is appended in a redirect URL (see here github link)
Now reading the OAuth doc this seems to make sense. However, how do I return the refresh token to the user as well. Is it safe to pass both access and refresh token in the URL?
This is a side project that me and my mate are working on (he's doing the front end which he hasnt started yet :D) so I'm curious if its 1) ok to put both tokens in the URL and 2) should I be setting these as cookies httpOnly somehow for him.
Upvotes: 0
Views: 512
Reputation: 318
You can return refresh token in the url as well. Other possible solution is to write both tokens in the response body as a JSON payload.
Regarding your other question, you can safely store the refresh tokens in a HttpOnly cookie since it is the recommended way for persisting sensitive session-related data.
Upvotes: 1