Auth token stored in local storage is an XSS vulnerablity

[altenfreelance]

https://dev.to/cotter/localstorage-vs-cookies-all-you-need-to-know-about-storing-jwt-tokens-securely-in-the-front-end-15id

Storing auth token in local storage is an xss vulnerabilty.

[Ridder90]

Actually... I dont see a reference to local storage?

[gardner]

I can confirm that it does use localStorage. Please see

react-oauth2-pkce/src/AuthService.ts

Line 113 in 2c33d03

return window.localStorage.getItem(key)

[altenfreelance]

https://auth0.com/docs/secure/security-guidance/data-security/token-storage#:~:text=Storing%20tokens%20in%20browser%20local,Analytics)%20included%20in%20the%20SPA.

[robertito121]

this is definitely using local storage. For PKCE flow, does any body here know what i need to do to refresh this storage back to null when the user actually revokes access to the application on the server? I thought this would have been done automatically but it is not. the auth item still appears under local storage and session storage even after application has been revoked at the server