Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The client libraries should include token management functionality #1674

Open
glen-84 opened this issue Apr 11, 2022 · 4 comments
Open

The client libraries should include token management functionality #1674

glen-84 opened this issue Apr 11, 2022 · 4 comments
Labels

Comments

@glen-84
Copy link

glen-84 commented Apr 11, 2022

The client libraries should include token management functionality

Problem

I'm in the process of evaluating FusionAuth, and I was quite surprised (and disappointed) to find that the client libraries don't include functionality to:

  1. Generate login/logout links (with state).
  2. Store access/refresh tokens (in memory, worker, local/session storage). (This API might be useful for multi-tab scenarios)
  3. Automatically use refresh tokens to update the access token.
  4. Handle PKCE. (on the client-side as well)

This means that if we decide to use FusionAuth, we'll have to write all of this code ourselves. It doesn't seem ideal that every developer has to rewrite the same code, which also means that the code may be less secure (for developers with a limited understanding of OAuth).

Auth0 and Amazon Cognito include this.

Solution

The client libraries should include the above-mentioned functionality, to speed up and improve the security of the integration.

Alternatives/workarounds

  • Write the code ourselves.
  • Use another CIAM provider.

Additional context

n/a

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

@fmp777
Copy link

fmp777 commented Dec 5, 2022

OK 😅 I thought I was simply blind to something I thought would be obviously available, so thanks for posting this. I found it far easier to get up and running with oAuth, while I'm just stumbling with FusionAuth due to what I thought was incomplete docs, but now I see its incomplete "client libraries".

I would think if you want to grow adoption, you focus on making SDKs have everything they need to implement it. Trying to figure out how to even use fusionauth has been quite the process... 🤷‍♂️

@mooreds
Copy link
Collaborator

mooreds commented Dec 5, 2022

@fmp777 Thanks so much for the feedback!

@JohnBergant
Copy link

Storing Refresh Tokens in the browser opens them up to exfiltration attacks via XSS and javascript code. Depending on your application needs you may not be too worried about this. I wouldn't necessarily say this would increase security.

@mooreds
Copy link
Collaborator

mooreds commented Jul 11, 2023

Thanks for the comment @JohnBergant . Couldn't agree with you more that you have to watch out for XSS.

We recommend storing refresh tokens in secure HTTPOnly cookies or server-side: https://fusionauth.io/articles/oauth/oauth-token-storage

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants