Why can't I store an oauth refresh token in the browser?

Question

I want to store an oauth refresh token in the browser. The reason I want to store it there is so that the app can refresh the access token and let the user continue their session uninterrupted. I also want to eliminate the need for any kind of cache on the server to store the tokens, thus making it stateful.

I'm told that storing the refresh token in the browser is wrong because it's insecure.

I think it's OK because:

• The tokens would be stored in httpOnly, secure session cookies so they shouldn't be vulnerable to XSS or man in the middle attacks and they will be discarded when the user closes their session.
• All communication to the server is done via HTTPS
• The refresh token can be invalidated if suspicious activity is detected
• Most importantly you can't use the refresh token unless you know the client secret which would be known only by the server.

Am I wrong to think it should be OK? Please explain why!

Answer 1

Storing the tokens in an httpOnly, secure cookie is probably the best you can achieve security-wise. The problem sometimes is that an httpOnly cookie is not good enough due to other (non-security) reasons as Javascript obviously does not have access (that's the point). So people sometimes want to store tokens in other browser stores like localStorage, or slightly better, in JavaScript objects, both of which are significantly less secure than an httpOnly cookie (but still may be good enough for some applications).

Storing the token in an httpOnly and secure cookie makes it pretty much equivalent to a session id, and its security will also be the same in this respect (obviously other aspects may be different).