Hello, I have a question about best practices for securing access tokens and would like advice from experienced professionals.
I have two approaches to managing access tokens:
- The client manages the access token and refresh token itself.
- Manually creating a service or library that acts as an intermediary between the client and Keycloak/API Gateway. This service automatically manages the access and refresh tokens, while the client only needs to store a
session_id.
I’m unsure about the pros and cons of each approach and what best practices are commonly used. Please help if you have any insights.
You didn’t mention it explicitly, therefore I assume from the type of your question, that your client is a public client, being executed on the user device (browser, smartphone, etc.).
Best practice for public clients is to use a so called backend-for-frontend (BFF), handling the auth stuff and managing the tokens. The frontend “just” (of course as secure as possible) uses something like a sessionId to talk to the BFF. This is like you mentioned your approach 2.
While this is best practice, the other way (your approach 1) isn’t forbidden, you just have to deal with security differently. Think e.g. about using DPOP (RFC 9449 [1]) (which is currently a preview feature in Keycloak).
[1] RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP)
1 Like