En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Amplify Cognito Auth JS Library keeps all tokens in localStorage?

0

Recently started building a SPA. I'm using the official AWS stand-alone Amplify javascript library for Auth. After deploying my SPA and logging in, I noticed that all of my tokens are persisted in local storage in the browser.

For example:

key
CognitoIdentityServiceProvider.1k90vt58oc1v7kfme68th8kdf0.myuser.accessToken
CognitoIdentityServiceProvider.1k90vt58oc1v7kfme68th8kdf0.myuser.refreshToken
CognitoIdentityServiceProvider.1k90vt58oc1v7kfme68th8kdf0.myuser.idToken

I'm fairly new to the frontend auth, but everything I've read has claimed that this is poor security. For example:

auth0.com: Using browser local storage

Here’s Why Storing JWT in Local Storage is a Disastrous Mistake

Best Practices for Storing Access Tokens in the Browser

Is this something that AWS is failing to account for?

Sujets
Web et mobile front-endSécurité, identité et conformitéFramework AWS Well-Architected
Balises
AWS AmplifyAmazon CognitoSécurité
Langue
English
dboardman
demandé il y a un mois509 vues
1 réponse
1
Réponse acceptée

You can use a custom storage adapter and use cookies for instance:

https://docs.amplify.aws/react/build-a-backend/auth/manage-user-session/#update-your-token-saving-mechanism

profile picture
EXPERT
Antonio_Lagrotteria
répondu il y a un mois
profile picture
EXPERT
Mikel Del Tio
vérifié il y a un mois
profile picture
EXPERT
Adeleke Adebowale J
vérifié il y a un mois
  • dboardman
    il y a un mois

    Do you know if the withAuthentication wrapper handles token refreshes automatically for me?

  • Antonio_Lagrotteria EXPERT
    il y a un mois

    Amplify will keep active session for as long as it can, but I don’t think it will automatically refresh the token. Typically I did call Auth.currentSession() which would then renew to token automatically

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents