SPA acess token management, refresh token management

[chandraarora]

Hi

We are using Duende IDP and it works like a charm.

We are building a teams app and it is hosted in iframe of ms teams site which means we can not use bff and cookie unless we change samesite to none.

We would have to go with SPA with access token authentication. Do we have any library which can manage the token at client side and refresh the token automatically and protect again XSS and csrf attack?

Thanks Chandra

[RolandGuijt]

oidc-client is an example of a library that can renew the token silently as long as there is an active session with the identity provider. It would be hard for any library to offer protection against the attacks you mention. The browser is just not a good place to keep any kind of secret. Since you can't use a BFF I recommend trying to mitigate the problem somewhat by giving the token a relatively short lifetime so that calls to the identity provider to renew are more frequent. That way at least there is a way to revoke access quickly when an attack is detected. But it depends on the application if that is practical/possible.

[RolandGuijt]

@chandraarora Did my comment clear things up for you? If so I'd like to close.

[chandraarora]

Yes, thanks

From: RolandGuijt @.> Sent: Montag, 24. Juni 2024 11:22 To: DuendeSoftware/Support @.> Cc: Chandra Arora @.>; Mention @.> Subject: Re: [DuendeSoftware/Support] SPA acess token management, refresh token management (Issue #1292)

@chandraarorahttps://github.com/chandraarora Did my comment clear things up for you? If so I'd like to close.

- Reply to this email directly, view it on GitHubhttps://github.com/DuendeSoftware/Support/issues/1292#issuecomment-2186022224, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIRM7FT2XOVU4CIZV5C26ODZI7QMPAVCNFSM6AAAAABJBFMGK6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBWGAZDEMRSGQ. You are receiving this because you were mentioned.Message ID: @.**@.>>