Storing okta-token-storage tokenManager in cookie option

I am using tokenManager: { storage: ‘sessionStorage’} to store the token in session storage.

Is there an option to store the tokenManager in cookie storage

What are you building? SPA?

Yes, I am building Angular SPA

I am building a Angular SPA app and we are trying to weigh the options of storing in web storage or client side cookie. Can you please advice if client side cookie storage is supported in okta auth API’s

The benefit of using a cookie comes down to that you can not read the cookie from Javascript, that is the main benefit over html5 web storage. When you set a cookie with Javascript, you can not set this cookie flag.

If you are a building a SPA, I would continue to use web storage.

Okta’s auth-js library will default to cookieStorage only if html5 web storage is not available from the browser.

Hope this helps!

Since we cannot read the cookie from Javascript, then will we not be able to sliently renew the token from Angular client side. We would have to depend on the server side to perform the token renewal. Could you confirm if this is correct

I think we are conflating 2 concerns here:

  1. The cookie/web storage that your application stores tokens in from okta-auth-js.
  2. The cookie that okta sets for an okta session when successfully authenticates.

I’m talking about #1, you should use HTML5 web storage here from Angular. Behind the scenes, okta-auth-js can refresh the tokens silently because of #2 with an iframe + post message.

If you want to override this behavior, there is an option you can pass autoRefresh: false to auth-js configuration.

Token renewal (refresh token) is not possible for implicit flow. What do you mean by doing token renewal server side?

Thanks for the explanation. I wanted to know about #1 how it works when we store tokens from okta-auth-js in cookie

When we store in HTML 5 web storage, okta-auth-js can refresh the tokens silently

It works the same, regardless where okta-auth-js stores the token.

okta-auth-js will not store it in an httpOnly cookie, the cookie is accessible with javascript. It will only store the tokens in cookies if the browser does not support html5 web storage.

Make sense?

Yes, I got it. Thank you!

1 Like