I am working on an OAuth 2.0 flow using Authorization Code Grant with PKCE, involving two local servers:
What I implemented:
The frontend redirects the user for authorization and later calls back to /auth/callback.
In the callback, I exchange the authorization code for access and refresh tokens using a dedicated /oauth/tokens endpoint on sso-identify.test.
Laravel responds with:
{
"access_token": "...",
"refresh_token": "...",
"expires_in": "..."
}
In this case, JS will get access to refresh_token.
How do I store the refresh_token?
All the tokens should be exchanged between the servers and stored on server identified by the user session. This means the user should only have a session on the server of the front-end. Of course, this session manifests on the client as cookie that holds only the session id.
The access_token is used for API calls and is stored in client memory since it expires in expires_in anyway. When time is right to refresh the access_token, make an API call to YOUR server which holds the session and thus all the tokens needed to refresh the access_token.
Storage that is accessible to javascript is not secured.
In short, don't store refresh_token on client.
Update: I may have reduced some details about the session, but the idea holds that the refresh_token should not be accessible to client's javascript.