Question - What is the recommended way to use react-oidc-context while mitigating XSS attacks

[obrassard]

Most security professionals agree that storing access tokens and refresh tokens in browser storage (local storage or session storage) is a security risk because it makes your application vulnerable to XSS attacks.

Therefore, I am curious about the recommended way to use this library while persisting user sessions without being vulnerable to XSS. I

can envision this flow, but I am unsure how it would integrate with react-oidc-context :

1. User initiates the sign-in process.
2. The frontend redirects to the Identity Provider (IDP).
3. The user signs in.
4. The IDP redirects the user back to the redirect URI with an authorization_code.
5. The frontend sends the authorization_code to the backend API.
6. The backend exchanges the code for access_token, id_token, and refresh_token with the IDP.
7. The backend sets the refresh_token in a HttpOnly + Secure cookie and returns the access/id tokens to the frontend, if necessary.

Is there a way to implement this type of flow with this library? Or is there another way ? Thank you in advance for your help.

[malgasm]

https://github.com/authts/react-oidc-context/issues/1450

[obrassard]

@malgasm InMemoryWebStorage doesn't persist user sessions

[malgasm]

@obrassard session persistence is a feature your IDP could provide (e.g. remember me). This approach grants persistence with InMemoryWebStorage

[obrassard]

Indeed if possible, this would be the best solution.

However, in our case we use Cognito with the managed signin pages. I'll have to double check but I don't think they provide a "remember me" feature.