DEV Community

HM
HM

Posted on

Handling JWT securely on your client

This is a series of posts divided into the following parts:

Summary

  • Part-1 covers the main problem statement around jwt security in web-apps; presents a few options and evaluates them
  • Part-2 dives deep into overcoming limitations around the chosen option in Part-1 e.g. SSO, Silent Authentication/Refresh, etc.
  • Part-3 talks about non web-apps i.e. backend rest clients that don't run on web browsers e.g. postman
  • Part-4 talks about other values added flows such as jwt expiry, force logout etc.

Handling JWT securely on your client - Part-1

Assumptions

  • We will focus on Single Page Application (SPA) web-apps here
  • jwt here are treated as access tokens or sessions tokens
  • Our Use case:
    • Our website is a SPA and hosted on app1.com
    • The SPA allows login and logout at /login and /logout
    • After logging in the SPA displays a button called "getData"
    • Once the button is pressed, the client-side-js sends a request to /api/data to obtain some data

......continue here

Top comments (0)