Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OIDC Access Token - Where to store?

Tags:

openid-connect

oauth-2.0

As we know there are three tokens involved in OpenIDConnect:

  1. Access Tokens in OIDC are by default, a random unique string, not encoded using JWT.
  2. ID token is encoded using JWT
  3. Refresh Tokens

we usually place the ID token in the cookie in httpOnly mode.

My question is, where is the recommended storage of Access tokens? surely you need to store them in the app side.

like image 228
lecarpetron dookmarion Avatar asked Sep 02 '25 15:09

lecarpetron dookmarion

1 Answers

You can store the tokens wherever you like, but the most common approaches are:

  • Store the tokens inside the cookie. If the tokens are large, then this might be a problem because the cookies might get quite big.
  • Store the tokens in a cache in memory or in a database and store a "reference" to them in the session cookie.

The ID-token usually have a very short lifetime (like 5 minutes from some providers) and it is used to create local "user" object.

like image 134
Tore Nestenius Avatar answered Sep 05 '25 15:09

Tore Nestenius
Sign in to Comment

Related questions

How do I implement social login with GitHub accounts?
Can "kid" in JWKS be just string of numbers, and what is the maximum number of characters kid can hold?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!