-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The client libraries should include token management functionality #1674
Comments
OK 😅 I thought I was simply blind to something I thought would be obviously available, so thanks for posting this. I found it far easier to get up and running with oAuth, while I'm just stumbling with FusionAuth due to what I thought was incomplete docs, but now I see its incomplete "client libraries". I would think if you want to grow adoption, you focus on making SDKs have everything they need to implement it. Trying to figure out how to even use fusionauth has been quite the process... 🤷♂️ |
@fmp777 Thanks so much for the feedback! |
Storing Refresh Tokens in the browser opens them up to exfiltration attacks via XSS and javascript code. Depending on your application needs you may not be too worried about this. I wouldn't necessarily say this would increase security. |
Thanks for the comment @JohnBergant . Couldn't agree with you more that you have to watch out for XSS. We recommend storing refresh tokens in secure HTTPOnly cookies or server-side: https://fusionauth.io/articles/oauth/oauth-token-storage |
The client libraries should include token management functionality
Problem
I'm in the process of evaluating FusionAuth, and I was quite surprised (and disappointed) to find that the client libraries don't include functionality to:
This means that if we decide to use FusionAuth, we'll have to write all of this code ourselves. It doesn't seem ideal that every developer has to rewrite the same code, which also means that the code may be less secure (for developers with a limited understanding of OAuth).
Auth0 and Amazon Cognito include this.
Solution
The client libraries should include the above-mentioned functionality, to speed up and improve the security of the integration.
Alternatives/workarounds
Additional context
n/a
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
The text was updated successfully, but these errors were encountered: