I was reading this question and still have doubts about my use case.
I know it's unsafe to store a JWT in local/session storage due to XSS attacks. But what if it's for a JWT that only lasts 1 min when they first login? The client would then use this to get a longer + safer JWT to stay logged in from then on.
I'm using a third party identity provider to handle the initial login. The reason I have to do this is because their API that returns the JWT doesn't support httpOnly (for whatever reason). I still have to store the JWT temporarily somewhere before I get a new one in an httpOnly cookie from the server. Or should I store it in state (I'm using React)?
Is this approach safe? My reasoning is that even if they do get the JWT, it would only last 1 minute before it expires.
Overview
- User enters credentials on login page. Identity provider returns a 1 min long JWT to the client.
- Client stores JWT in local storage.
- Client calls GET /getJWT with the JWT in step 2 in the payload.
- Server validates the JWT. It issues a new JWT that lasts 15 min. Server sends a response with the JWT in an httpOnly cookie.