I have developed a login system using OAuth2.0 that is currently working within one tab in one browser. Without diving into the code, the system works by having the user enter their credentials to login, the credentials are sent up to the API (WebAPI2 .Net) from the client (Angular), the user is logged in via Active Directory, and then an access token and refresh token are returned to the client.
I am currently storing these within cookies. When an access token expires, the refresh token is grabbed from the cookie and used to get a new access token. All of this is working within one browser tab. However, we want to allow the user to be logged in to multiple tabs within a browser, and/or multiple browsers at the same time without effecting eachother (like facebook, etc.) Cookies are the wrong solution for storing these tokens because they don't communicate between different tabs, so I did some research and found localStorage which probably solves the between tabs problem.
However, I wanted to get some opinions on best strategy for being logged in across multiple tabs/browsers with the same login using OAuth2. I don't think you can store the tokens in SQL because then the call to the API isn't secure to get the refresh tokens across browsers. Do you create separate tokens in each browser with the same login and then localStorage in each browser to share that browser's token? Or is there a way to share refresh tokens safely across multiple browsers?
Best Answer
Between tabs, use
defineProperty
andsessionStorage
:Between browsers, use
window.postMessage
to communicate the need redirect to the authorization page:References
Using postMessage during embedded app authenticate · Shopify/shopify_app Wiki · GitHub
Authorization for Internet of Things using OAuth 2.0
Authentication and Authorization for Constrained Environments (ace) - Documents
Cross-window communication
GitHub - wingify/across-tabs: Easy communication between cross-origin browser tabs
Web Reflection: Do You Really Know Object.defineProperty ?
Can't spyOn sessionStorage or localStorage methods in Firefox · Issue #299 · jasmine/jasmine · GitHub