[Documentation] Cache implementation for confidential clients
darylhjd opened this issue · 0 comments
darylhjd commented
Documentation related to component
Confidential client account caching.
Please check all that apply
- typo
- documentation doesn't exist
- documentation needs clarification
- error(s) in the example
- needs an example
Description of the issue
Currently, it seems that the key that is used to access an account in the confidential client cache is the user's home account id.
My current implementation sets a cookie with the home account id as the value when user logs in. This cookie is then used for authentication and to get the account from the cache, which I use to pass to acquire token silently. The problem with this is that the home account id is constant across sessions, which makes it susceptible to security issues.
Am I using the confidential client wrongly in this case? Or is it possible to use another value as the key (for example, the sid claim, which is supposed to change across sessions)?