Amplify Cognito Auth JS Library keeps all tokens in localStorage?

0

Recently started building a SPA. I'm using the official AWS stand-alone Amplify javascript library for Auth. After deploying my SPA and logging in, I noticed that all of my tokens are persisted in local storage in the browser.

For example:

key
CognitoIdentityServiceProvider.1k90vt58oc1v7kfme68th8kdf0.myuser.accessToken
CognitoIdentityServiceProvider.1k90vt58oc1v7kfme68th8kdf0.myuser.refreshToken
CognitoIdentityServiceProvider.1k90vt58oc1v7kfme68th8kdf0.myuser.idToken

I'm fairly new to the frontend auth, but everything I've read has claimed that this is poor security. For example:

auth0.com: Using browser local storage

Here’s Why Storing JWT in Local Storage is a Disastrous Mistake

Best Practices for Storing Access Tokens in the Browser

Is this something that AWS is failing to account for?

1 Answer
1
Accepted Answer
profile picture
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • Do you know if the withAuthentication wrapper handles token refreshes automatically for me?

  • Amplify will keep active session for as long as it can, but I don’t think it will automatically refresh the token. Typically I did call Auth.currentSession() which would then renew to token automatically

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions