lecarpetron dookmarion
Reputation: 711
OIDC Access Token - Where to store?
As we know there are three tokens involved in OpenIDConnect:
- Access Tokens in OIDC are by default, a random unique string, not encoded using JWT.
- ID token is encoded using JWT
- Refresh Tokens
we usually place the ID token in the cookie in httpOnly mode.
My question is, where is the recommended storage of Access tokens? surely you need to store them in the app side.
Upvotes: 4
Views: 3027
Answers (1)
Tore Nestenius
Reputation: 19921
You can store the tokens wherever you like, but the most common approaches are:
- Store the tokens inside the cookie. If the tokens are large, then this might be a problem because the cookies might get quite big.
- Store the tokens in a cache in memory or in a database and store a "reference" to them in the session cookie.
The ID-token usually have a very short lifetime (like 5 minutes from some providers) and it is used to create local "user" object.
Upvotes: 2
Related Questions
- Where should a SPA keep a OAuth 2.0 access token?
- Where to store ID tokens and which OAuth2 flow to use in a monolithic server-side rendered web app?
- Oauth2 authorization code flow: where do I store authorization code?
- How to store access token? (Oauth 2, Auth code flow)
- OPenID Connect : What to do with the access token
- OAuth 2.0 where to securely store access token for long term use
- any best practices for storing and accessing oAuth access_token?
- Where should I store the access token from OAuth2 in a MVC application?
- Best way to store OAuth token iOS?
- OAuth: what information should I store in tokens