Open altenfreelance opened 3 years ago
Actually... I dont see a reference to local storage?
I can confirm that it does use localStorage
. Please see https://github.com/gardner/react-oauth2-pkce/blob/2c33d03a7f40a1059c774cb5d820fd06e0b83b98/src/AuthService.ts#L113
this is definitely using local storage. For PKCE flow, does any body here know what i need to do to refresh this storage back to null when the user actually revokes access to the application on the server? I thought this would have been done automatically but it is not. the auth item still appears under local storage and session storage even after application has been revoked at the server
https://dev.to/cotter/localstorage-vs-cookies-all-you-need-to-know-about-storing-jwt-tokens-securely-in-the-front-end-15id
Storing auth token in local storage is an xss vulnerabilty.