I'm using rest API, If I need to access those API endpoints need to authorize JWT Token. JWT tokens don't have any expiration so I can use anytime same token. Calling API through react application. Can anyone please help me with your idea where I can store JWT Token securely?
3
-
JWT tokens don't have any expiration - where did you get this idea? It's possible to create tokens without expiration, but that's usually not the case, most frameworks set an expiration time by default.jps– jps2022-02-24 06:57:17 +00:00Commented Feb 24, 2022 at 6:57
-
In my case, JWT doesn't have any automated expiration. So I should not store it cookies or local storage. Can you tell what are all the ways we can do? Thanks for your response.Prasanna Kumar– Prasanna Kumar2022-02-24 13:03:40 +00:00Commented Feb 24, 2022 at 13:03
-
1if possible, you better add expiration. The storage question comes up frequently, I don't think that there's anything to add that hasn't been written before.jps– jps2022-02-24 13:22:22 +00:00Commented Feb 24, 2022 at 13:22
Add a comment
|
1 Answer
To do it properly, you should use session cookies and not store the tokens in the browser at all.
Instead you should consider using the BFF pattern as described here:
- https://blog.bitsrc.io/bff-pattern-backend-for-frontend-an-introduction-e4fa965128bf
- https://www.youtube.com/watch?v=UBFx3MSu1Rc&t=13s&ab_channel=NDCConferences
- https://www.youtube.com/watch?v=lEnbi4KClVw&ab_channel=PhilippeDeRyck
I also just wrote a blog post about this topic: Implementing BFF Pattern in ASP.NET Core for SPAs
2 Comments
Josh Anderson
Old question, I know, but wouldn’t you still need to store the auth token locally for the BFF?
Tore Nestenius
You store the tokens on the backend, either in memory or in a database. See my updated answer above about a blog post I wrote about this.