Description

Maybe I missed it, but on the keycloak js documentation for SAP application, I didn't found anywhere that the default, and only buildin storage, is in memory for access token and refresh token

I saw the information in the group of discussion. So it should be added explicitly saying that it's not resilient to page reload or new tab.

To support those cases (because of UX (security is always a compromise)), OWASP recommands sessionStorage https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.md#token-storage-on-client-side
But it as to be implemented manually by the developper: at init, at auth success, at refresh at logout

Discussion

No response

Motivation

No response

Details

No response