Best practice for sharing access token #3980
Unanswered
kirkegaard
asked this question in
Help
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi, we run a site with next auth and our own oauth provider. The site then includes a game in an iframe. That game communicates to our server via http requests but it needs to know the access token from the site. Now the question is what is the best practice?
We've been talking about multiple solutions but none of them seems really secure. One would be to store the access token in localStorage. That would be fine except security seems some what an issue.
Second we could just read the secure cookie from the game. We would need to decrypt the cookie via the shared secret which would expose the secret to the client. Not sure if thats bad but still raises some security concerns.
Third would be not to think about that stuff and just read the cookie from serverside. That seems a bit cumbersome but i guess it could work?
Is there any other ways of doing this or is one of these options actually the best practice way?
Beta Was this translation helpful? Give feedback.
All reactions