From 941e7cc3a532cd7f29d70dbdb4b5a472ff6a41be Mon Sep 17 00:00:00 2001 From: AndyMunro Date: Mon, 26 Feb 2024 15:06:57 -0500 Subject: [PATCH] notes about access and refresh tokens Closes #26919 Signed-off-by: AndyMunro --- .../securing_apps/topics/oidc/javascript-adapter.adoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/documentation/securing_apps/topics/oidc/javascript-adapter.adoc b/docs/documentation/securing_apps/topics/oidc/javascript-adapter.adoc index 9f9365e20f..68c46ceee1 100644 --- a/docs/documentation/securing_apps/topics/oidc/javascript-adapter.adoc +++ b/docs/documentation/securing_apps/topics/oidc/javascript-adapter.adoc @@ -119,6 +119,11 @@ try { const users = await fetchUsers(); ---- +[NOTE] +==== +Both access and refresh token are stored in memory and are not persisted in any kind of storage. Therefore, these tokens should never be persisted to prevent hijacking attacks. +==== + ==== Session Status iframe By default, the adapter creates a hidden iframe that is used to detect if a Single-Sign Out has occurred. This iframe does not require any network traffic. Instead the status is retrieved by looking at a special status cookie. This feature can be disabled by setting `checkLoginIframe: false` in the options passed to the `init()` method.