Storing okta-token-storage tokenManager in cookie option

alicehelen84 · February 13, 2018, 2:51pm

I am using tokenManager: { storage: ‘sessionStorage’} to store the token in session storage.

Is there an option to store the tokenManager in cookie storage

tom · February 13, 2018, 4:00pm

What are you building? SPA?

alicehelen84 · February 13, 2018, 4:00pm

Yes, I am building Angular SPA

alicehelen84 · February 13, 2018, 6:50pm

I am building a Angular SPA app and we are trying to weigh the options of storing in web storage or client side cookie. Can you please advice if client side cookie storage is supported in okta auth API’s

tom · February 13, 2018, 6:59pm

The benefit of using a cookie comes down to that you can not read the cookie from Javascript, that is the main benefit over html5 web storage. When you set a cookie with Javascript, you can not set this cookie flag.

If you are a building a SPA, I would continue to use web storage.

Okta’s auth-js library will default to cookieStorage only if html5 web storage is not available from the browser.

Hope this helps!

alicehelen84 · February 13, 2018, 7:05pm

Since we cannot read the cookie from Javascript, then will we not be able to sliently renew the token from Angular client side. We would have to depend on the server side to perform the token renewal. Could you confirm if this is correct

tom · February 13, 2018, 7:27pm

I think we are conflating 2 concerns here:

The cookie/web storage that your application stores tokens in from okta-auth-js.
The cookie that okta sets for an okta session when successfully authenticates.

I’m talking about #1, you should use HTML5 web storage here from Angular. Behind the scenes, okta-auth-js can refresh the tokens silently because of #2 with an iframe + post message.

If you want to override this behavior, there is an option you can pass autoRefresh: false to auth-js configuration.

Token renewal (refresh token) is not possible for implicit flow. What do you mean by doing token renewal server side?

alicehelen84 · February 13, 2018, 7:35pm

Thanks for the explanation. I wanted to know about #1 how it works when we store tokens from okta-auth-js in cookie

When we store in HTML 5 web storage, okta-auth-js can refresh the tokens silently

tom · February 13, 2018, 9:24pm

It works the same, regardless where okta-auth-js stores the token.

okta-auth-js will not store it in an httpOnly cookie, the cookie is accessible with javascript. It will only store the tokens in cookies if the browser does not support html5 web storage.

Make sense?

alicehelen84 · February 13, 2018, 9:58pm

Yes, I got it. Thank you!

system · January 12, 2024, 8:25pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.