Storing OIDC Access Tokens in sessionStorage Risks - Is there a way to store the token in memory instead of in sessionStorage?

[ns-ssudhakaran]

Currently, OIDC access tokens are stored in sessionStorage, which exposes security vulnerabilities, especially in light of OWASP recommendations.

Security Concerns XSS Vulnerability: Tokens in sessionStorage are accessible to JavaScript, making them vulnerable to theft via XSS attacks. Token Theft Risk: Client-side storage in sessionStorage increases the risk of unauthorized token access and reuse.

Recommendation To improve security, consider storing access tokens in memory rather than sessionStorage. This reduces the attack surface and aligns with OWASP's guidelines for secure client-side token handling.

[garronej]

Hello @ns-ssudhakaran,

Here you go: https://docs.oidc-spa.dev/documentation/disabeling-token-persistance

It's released in 5.6.0

Can't change the default though as it would be a breaking change.