Client Side ReAct

I am looking to build a react front end / asp.net core web api backend with SSO. There is a great starter article on this and your NPM package is great, but the problem is that is stores the token in browser storage which is a big no no for security.

So what is the best way to accomplish this without storing the raw token in browser storage?

Thanks!

You could store it on the server and use good ol’ fashioned cookies to establish the session between your frontend and backend. This blog post shows how to do it with an Angular + Spring Boot (Java) backend.

Specifically, see the Combine Your Angular + Spring Boot App into a Single JAR section.

Thanks, that was my thought and everything I read pointed me to that solution… So I very much appreciate having a real example to work from!!!

@mraible I am new to doing this on the client side (aka building spas)… Is my concern valid? Or is using the Authorization Code flow with PKCE enough security? I understand with this flow it prevents a malicious user from being able to take the code and exchanging it for a token… but at the end of the day, the token is still stored in browser storage.

What is the best practice?

If your SPA doesn’t have a backend it controls, then you’re stuck with Auth Code Flow + PKCE. It’s typically enough security if you have a good content security policy and prevent 3rd party scripts from accessing your app.

If your SPA has a backend it controls, my recommendation is to do the authentication there. That’s how we do it in JHipster.