search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
89 stars 12 forks source link

The client libraries should include token management functionality #1674

Open glen-84 opened 2 years ago

glen-84 commented 2 years ago

The client libraries should include token management functionality

Problem

I'm in the process of evaluating FusionAuth, and I was quite surprised (and disappointed) to find that the client libraries don't include functionality to:

  1. Generate login/logout links (with state).
  2. Store access/refresh tokens (in memory, worker, local/session storage).
  3. Automatically use refresh tokens to update the access token.
  4. Handle PKCE. (on the client-side as well)

This means that if we decide to use FusionAuth, we'll have to write all of this code ourselves. It doesn't seem ideal that every developer has to rewrite the same code, which also means that the code may be less secure (for developers with a limited understanding of OAuth).

Auth0 and Amazon Cognito include this.

Solution

The client libraries should include the above-mentioned functionality, to speed up and improve the security of the integration.

Alternatives/workarounds

Additional context

n/a

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

fmp777 commented 1 year ago

OK 😅 I thought I was simply blind to something I thought would be obviously available, so thanks for posting this. I found it far easier to get up and running with oAuth, while I'm just stumbling with FusionAuth due to what I thought was incomplete docs, but now I see its incomplete "client libraries".

I would think if you want to grow adoption, you focus on making SDKs have everything they need to implement it. Trying to figure out how to even use fusionauth has been quite the process... 🤷‍♂️

mooreds commented 1 year ago

@fmp777 Thanks so much for the feedback!

JohnBergant commented 1 year ago

Storing Refresh Tokens in the browser opens them up to exfiltration attacks via XSS and javascript code. Depending on your application needs you may not be too worried about this. I wouldn't necessarily say this would increase security.

mooreds commented 1 year ago

Thanks for the comment @JohnBergant . Couldn't agree with you more that you have to watch out for XSS.

We recommend storing refresh tokens in secure HTTPOnly cookies or server-side: https://fusionauth.io/articles/oauth/oauth-token-storage