Auth token stored in local storage is an XSS vulnerablity
Opened this issue · 4 comments
altenfreelance commented
Storing auth token in local storage is an xss vulnerabilty.
Ridder90 commented
Actually... I dont see a reference to local storage?
gardner commented
I can confirm that it does use localStorage
. Please see
react-oauth2-pkce/src/AuthService.ts
Line 113 in 2c33d03
altenfreelance commented
robertito121 commented
this is definitely using local storage. For PKCE flow, does any body here know what i need to do to refresh this storage back to null when the user actually revokes access to the application on the server? I thought this would have been done automatically but it is not. the auth item still appears under local storage and session storage even after application has been revoked at the server