In my recent encounter, I was trying to implement JWT Tokens storing securely in the Front-End.
What my previous approach is to store
access_token as well
refresh_token in sessionStorage which is vulnerable to XSS attacks. Now, when
access_token expires, I’ll call for
/refresh endpoint to obtain a new
access_token. Here I’m passing expired JWT into Authorization Header. The idea here is to protect your refresh endpoint and make sure only logged-in users ask for the token.
After that, we change the implementation to prevent XSS and CSRF. And followed this,
LocalStorage vs. Cookies
which recommend, store your access token in memory, and store the refresh token in the cookie. so from FE, we can’t access the cookie.(HTTPOnly cookie) and
Now the real challenge is when the page refresh, we lose
access_token as we stored it into in-memory, and API asks for Expired JWT token.
So my question is, does
/refresh endpoint requires an expired JWT token, or is that a good practice to use the refresh token without JWT token.
Source: Angular Questions