Readme:
In an OAuth 2.0 environment, this can present a challenge - the typical means of obtaining access tokens is via browser redirection (user interaction is sometimes required). For this reason, only the specific concern of making token-bearing requests must be handled within the service worker. All other concerns (such as actually obtaining tokens from the authorization server) must be handled in the main execution context.
The service worker can perfectly intercept the redirect with authorization code, exchange it for tokens, and keep it securely without giving them back to the main js application. Token renewal (or when the sw gets discarded) can still be handled by a "silent refresh" flow, for example. You don't even need the SW to communicate with the app anymore with that solution (well, you do need a kind of hearth beat to keep the SW alive).
Some POC implementation here:
https://github.com/Valuya/servicewauther
Some other want I stumbled upon today:
https://infinum.com/blog/secure-token-storage-oauth2/
https://github.com/infinum/auth-worker
And maybe this:
https://about.grabyo.com/service-workers-jwt-tokens/
Readme:
In an OAuth 2.0 environment, this can present a challenge - the typical means of obtaining access tokens is via browser redirection (user interaction is sometimes required). For this reason, only the specific concern of making token-bearing requests must be handled within the service worker. All other concerns (such as actually obtaining tokens from the authorization server) must be handled in the main execution context.
The service worker can perfectly intercept the redirect with authorization code, exchange it for tokens, and keep it securely without giving them back to the main js application. Token renewal (or when the sw gets discarded) can still be handled by a "silent refresh" flow, for example. You don't even need the SW to communicate with the app anymore with that solution (well, you do need a kind of hearth beat to keep the SW alive).
Some POC implementation here:
https://github.com/Valuya/servicewauther
Some other want I stumbled upon today:
https://infinum.com/blog/secure-token-storage-oauth2/
https://github.com/infinum/auth-worker
And maybe this:
https://about.grabyo.com/service-workers-jwt-tokens/