Hello, Randall! Very interesting! I'd like to know, what do you recommend for static only websites? I want a stateless static website that consumes an aws lambda API. My users log in to a third party Identity Provider. This returns an IdToken and an Access token, these are verified by the lambda function with the Identity Provider, but yeah, you're right, there's no way to prove the token was not stolen...
I have a wide range of experience with full stack web development, graphic design, UI/UX, 3d and architecture. I enjoy solving a variety of problems in simple and creative ways.
As much as I understand the article and the reasoning behind it, I think the absent answer to this question makes it pretty clear that none of the solutions offered here is actually working. And this is a very very very common scenario (I just used it so I can submit my post here..). The fact that the author of the article doesn't provide any realistic solution just makes me frustrated and automatically discards any credibility he might have. To me this is just another rant over the way things are without any ideas or contributions of how to actually get it fixed. It's very easy to say "Use cookies and force the backend server to support them", but the reality is that all this is dictated by APIs that already have specifications in place and they very rarely support cookies. As front-end developers actually responsible of using localStorage, we have little to no control over that at this point.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hello, Randall! Very interesting! I'd like to know, what do you recommend for static only websites? I want a stateless static website that consumes an aws lambda API. My users log in to a third party Identity Provider. This returns an IdToken and an Access token, these are verified by the lambda function with the Identity Provider, but yeah, you're right, there's no way to prove the token was not stolen...
As much as I understand the article and the reasoning behind it, I think the absent answer to this question makes it pretty clear that none of the solutions offered here is actually working. And this is a very very very common scenario (I just used it so I can submit my post here..). The fact that the author of the article doesn't provide any realistic solution just makes me frustrated and automatically discards any credibility he might have. To me this is just another rant over the way things are without any ideas or contributions of how to actually get it fixed. It's very easy to say "Use cookies and force the backend server to support them", but the reality is that all this is dictated by APIs that already have specifications in place and they very rarely support cookies. As front-end developers actually responsible of using localStorage, we have little to no control over that at this point.