Secure access and refresh token handling in a SPA
I am trying to figure out how to handle access and refresh tokens securely on the front end in a SPA. After doing a lot of reading, I still have questions/doubts about the proposed solutions I found on the internet.
Basically, the internet say that the access token should be "in memory" only (not localStorage or sessionStorage). There is a suggestion to keep the access token in a JavaScript closure. This I understand completely. As for the refresh token, the internet says that it should be stored as a HttpOnly and Secure cookie. This way when access_token returns an authentication error, I can post to the refresh token endpoint and get a new access_token + refresh_token. I understand that this type of setup minimizes the chance of XSS stealing the tokens. However, in an application where the resources and the authentication are different API end points on the same exact domain, the refresh token is going to be added to every API call. Since the refresh tokens are long living and are going to be sent with every API request, isn't that a security issue also?
