In my recent encounter, I was trying to implement JWT Tokens storing securely in the Front-End.
What my previous approach is to store access_token
as well refresh_token
in sessionStorage which is vulnerable to XSS attacks. Now, when access_token
expires, I'll call for /refresh
endpoint to obtain a new access_token
. Here I'm passing expired JWT into Authorization Header. The idea here is to protect your refresh endpoint and make sure only logged-in users ask for the token.
After that, we change the implementation to prevent XSS and CSRF. And followed this, LocalStorage vs. Cookies
which recommend, store your access token in memory, and store the refresh token in the cookie. so from FE, we can't access the cookie.(HTTPOnly cookie) and access_token
Now the real challenge is when the page refresh, we lose access_token
as we stored it into in-memory, and API asks for Expired JWT token.
So my question is, does /refresh
endpoint requires an expired JWT token, or is that a good practice to use the refresh token without JWT token.