How to save JWT token recieved from auth0 login securely (nodejs express)
Question
I am new to Auth0 and trying to implement it in my regular express web application. I need to protect/validate the user before they access some of my endpoints. My understanding is that i can do this with the JWT that is returned from the login callback. I have gotten that far, but when I login, it redirects, and I'm unsure of how to pass in the access token/store it securely on the client side.
this is what my callback endpoint looks like after logging in. It returns the authorization code but I am lost from here.
https://auth0.com/docs/api-auth/tutorials/authorization-code-grant
I return this on login:
/callback?code=oi9-ZTieXo0hYL6A&state=sMJAUK4QVs7jziJ7lXvwmGKF
// Perform the final stage of authentication and redirect to previously requested URL or '/user'
router.get('/callback', function (req, res, next) {
passport.authenticate('auth0', function (err, user, info) {
if (err) { return next(err); }
if (!user) { return res.redirect('/login'); }
req.logIn(user, function (err) {
if (err) { return next(err); }
const returnTo = req.session.returnTo;
delete req.session.returnTo;
res.redirect('/user);
});
})(req, res, next);
});
where do i go from here?
1 answers
solution1
2 2019-10-25 22:01:08
Auth0 does not recommend storing tokens in browser storage (session/local storage). For client side applications, tokens should be short lived and renewed when necessary via silent authentication (renewed via a cookie session with the auth server in a hidded iframe).
This is outlined here: https://auth0.com/docs/security/store-tokens
If you have a backend, then handle the tokens there, if you are using a SPA + API then use the strategy outlined in the link.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.