peterjamesward
commented
3 years ago I'm working through this slowly. It seems I need two sets of ports. Two message wrappers. Rather a chore.
Closed peterjamesward closed 3 years ago
peterjamesward
commented
3 years ago I'm working through this slowly. It seems I need two sets of ports. Two message wrappers. Rather a chore.
KtorZ
commented
3 years ago There should be indeed (at least) a single Access Token per client (though a client may have more than one). When making a request, the access token must be provided to authenticate the client. That means indeed that clients must have ways to remember previously obtained tokens.
Storing them in the local storage is usually not recommended for standard web application as it opens up room for a certain class of attacks (XSS). The preferred approach is to store them in cookies readable by the server only. A good read on the topic: https://blog.cotter.app/localstorage-vs-cookies-all-you-need-to-know-about-storing-jwt-tokens-securely-in-the-front-end/
In your case, since you're dealing with two different providers, you'll need to store both access tokens and provide the right one to the right server. There are cases where a given provider allows you to obtain an access token from another provider (for instance, you can authenticate to the Spotify API by using Facebook) but in general, they do not (unless major providers).
peterjamesward
commented
3 years ago I have little choice then as mine is a static web site so local storage appears my only option. Correction: my only easy option. A small web server (or Lambda function?) might be wise.
Thanks for the advice.
Peter
Hi. This is a question, not a real issue.
I was this morning about to add Komoot authentication to my software, which already has Strava authentication. It occurs to me that users will often require both (e.g. a route from Komoot and a segment from Strava). I presume this will require saving any current token locally during the redirects.
My question is about whether this is: a) not a problem, it just works b) fine, but I have to use local storage and make sure any tokens loaded from local storage are still valid c) known to be impossible, don't bother trying.
Your experience and advice would be very welcome before I bang my head against another wall.
Peter