csrf – OpenID Connect: Are you storing the access token in the secure browser?

I am currently in the integration phase of my website to OpenID Connect provided by KeyCloak. The website is not a one-page application. However, different parts of the application are delivered by different web services.

In each site delivered by these different web services, the user can call a standard REST API. This REST API can only be accessed with an access token received from KeyCloak. Therefore, the user must log in to the website using the OpenId Connect authorization code flow offered by KeyCloak and use the access token provided by the token endpoint. This request with the access token can be sent by browser or by one of the back-end services that the current website delivers. Therefore, we can do a client-side integration or a server-side integration with the REST API.

Unfortunately, server-side integration is not as feasible due to the complex structure of back-end systems. I can not even integrate most web services with KeyCloak. Therefore, you could store the access token in the browser in the local storage and access the REST API directly from the browser. However, I'm still not sure if storing the access token in the browser will bring a security vulnerability.

I could not see any official statement regarding this in the standards, until now. I have seen applications that store it in the back-end and in the browser and I still can not say the exact security benefit of using a session on an access token when we store it in the back-end. I do not intend to save the update token in the browser and use only the authorization code flow with the help of a back-end service.

My questions:

  • Is a security vulnerability storing the access token in the browser? For example, in local storage, in a cookie with HttpOnly, or both.
  • Is there any way to mitigate the security threat and still store it in the browser?
  • Is there a recommended practice or guide to store OpenID Connect access tokens that you could refer to?
  • What is the difference from the security perspective between the storage of the access token and the session, if we can use the session to access the API through an intermediary service?

Thanks for your help in advance!