<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta SDKs not storing JWTs as http-only cookie
Oct 13, 2023
SDKs & Libraries
Overview
When using one of Okta's Javascript libraries to handle authorization into a custom OpenID Connect (OIDC) Single Page application, the SDK will store the ID and Access JWT tokens in the chosen storageManager. When cookie storage is chosen, the JWTs are stored in cookies that are not set as `http-only`
Applies To

  • Auth JS

Auth JS is a dependency for the following JS frameworks/libraries and will also be affected:

  • Sign In Widget

  • Okta React

  • Okta Angular

  • Okta Vue

Cause
As the Okta Javascript libraries will need to interact with these JWTs to read information about the user or to use the Access Token as authorization for an outbound request, the cookies are deliberately set without `http-only`.
Solution

If storing JWTs in a browser cookie is not preferable, alternative storage options such as in memory, local storage, session storage, or a custom storage provider can be used. More information is available in the AuthJS documentation: https://github.com/okta/okta-auth-js#storagetype

If there's discomfort with the JWT being retrievable on the front-end of the application, it might be preferable to create a Web application so that these tokens can be stored server-side.

Related References

Recommended content

Still looking for help?
Loading
Okta SDKs not storing JWTs as http-only cookie