Say we have multiple instances of application X deployed on **site1.com, site2.com, site3.com**, etc. And we have a centralized server at **example.com** serving all of these.
All the instances of X are static sites, that is, they do not have a server, and thus, they can’t proxy requests to endpoints.
We understand the issues with XSS and CSRF involved, but we don’t understand how else to make authentication work cross-site. Our application instances are usually “control panels” where users log in to manage their data or other information regarding their organization. They are strictly user <-> server and there is no third-party application involved which might require some access_token.
I have read in a lot of places that storing tokens (JWTs) in LocalStorage is a bad idea. Other places ask you to avoid cookies since they are vulnerable to CSRF. And some places ask you to use id_token and access_token. So where are we supposed to store tokens then?
It’s quite confusing, and I seem to be missing something super obvious (or super complicated). Thanks for helping out!