This is a series of posts divided into the following parts:
- Handling JWT securely on your client - Part-1
- Handling JWT securely on your client - Part-2
- Handling JWT securely on your client - Part-3
- Handling JWT securely on your client - Part-4
Summary
- Part-1 covers the main problem statement around jwt security in web-apps; presents a few options and evaluates them
- Part-2 dives deep into overcoming limitations around the chosen option in Part-1 e.g. SSO, Silent Authentication/Refresh, etc.
- Part-3 talks about non web-apps i.e. backend rest clients that don't run on web browsers e.g. postman
- Part-4 talks about other values added flows such as jwt expiry, force logout etc.
Handling JWT securely on your client - Part-1
Assumptions
- We will focus on Single Page Application (SPA) web-apps here
- jwt here are treated as access tokens or sessions tokens
- Our Use case:
- Our website is a SPA and hosted on app1.com
- The SPA allows login and logout at /login and /logout
- After logging in the SPA displays a button called "getData"
- Once the button is pressed, the client-side-js sends a request to /api/data to obtain some data
Top comments (0)