-2

So, I am trying to safely store an authentication token using Angular, processed with additional encryption on top (in front end) and put it in browser local storage (so that not anyone can de-code it). Many people recommend this method, but I came across several opinions that say even in such case one can access your source code through your browser and get your secret key to decrypt the Auth Token (for example experienced hacker). Many people claim that Access + Refresh tokens are the best in terms of security.

So, my question is - what are standard practices for serving/ storing authentication token? Is token encryption in local storage good implementation or should we use refresh tokens (although, they are harder to implement)?

1
  • 2
    Yes, anything on the client can be accessed be the user / the actual client. Encrypting data to hide it from the client makes little / no sense.
    – luk2302
    Commented Oct 26, 2022 at 6:30

1 Answer 1

Reset to default
1

I think you should use both a refresh and access token for maximum security...the access token should have an expiration date and should be blacklisted after rotation(when you use the refresh token to get an access token)...if you need even more security,after rotation,the user should get a new refresh and access token

1
  • Thank you for the fast response. Can I ask why is there such term "maximum security"? I mean shouldn't our app be either secure or insecure. I mean are there security gold practices which guarantee that your app IS secure (in terms of tokens, for example)?
    – Andrеw
    Commented Oct 26, 2022 at 6:38

Not the answer you're looking for? Browse other questions tagged or ask your own question.