Given a low enough ID token expiry, is it safe to store it in the browser (localstorage/cookies)?
I prefer not to introduce any sessions / state in the backend.
4 Replies
I don't need my users to stay logged in either
it's fine (in fact; desirable) to force them out after 3600s
Hi @danslo ,
Could you clarify a few details about what you’re trying to achieve?
- What is your goal with storing the ID token in the browser? Are you using it primarily for frontend-only authentication, or will you also interact with a backend API?
- Which SDK or framework are you using? (e.g., Kinde SDK for Next.js or another package).
- Are you handling user authentication solely through the ID token, or are you using access tokens as well?
Regarding ID tokens: these are designed to securely convey information about authenticated users to your application. They include claims like aud (audience), exp (expiration time), iat (issued at), and iss (issuer) to ensure authenticity and mitigate risks like replay attacks.
For secure storage in a browser, consider:
- Using short-lived expiration (exp) to reduce exposure risks.
- Implementing secure storage methods (e.g., httpOnly cookies for better protection against XSS).
- Avoiding long-term storage of tokens in places like localStorage or sessionStorage when handling sensitive operations.
If you can share more details, I can guide you further!
Best regards,
Ages
>What is your goal with storing the ID token in the browser? Are you using it primarily for frontend-only authentication, or will you also interact with a backend API?
Interacting with server-side-rendered application (Go), which I don't want to complicate with sessions.
>Which SDK or framework are you using?
No SDK or framework, plain Go.
>Are you handling user authentication solely through the ID token, or are you using access tokens as well?
Currently storing ID token in cookie and validating in the backend (through middleware) on every request.
Expiration of token as well as cookie is low (3600s)
Hi @danslo ,
Thanks for clarifying! Your approach to using a stateless backend with ID tokens and middleware for authentication aligns well with simplicity and short-lived sessions.
Here are a few quick tips:
1. Token Validation: Ensure your middleware validates the token’s signature, aud, and iss claims for added security.
2. Secure Cookies: Storing the token in HTTP-only, secure cookies with SameSite=Strict helps protect against XSS and CSRF.
3. Token Refresh: While short expiration is fine, you could consider a refresh token flow for future scalability.
4. Middleware: Centralize validation logic and log token errors (e.g., expiry or invalid signature) for easier debugging.
Let me know if this answer your questions or if you'd like to explore any specific aspect further.
Best regards,
Ages