Hi,

Thanks very much for your response. Excellent question.

Yes. Things are stored at both client- and server-side.

Moving token-management to the server-side requires a http-session. This means at the client side, cookies are required to make this work. At the server side, variables are stored either in memory, or in case of a distributed app, encrypted session state is stored in Redis cache.

The key difference here, conceptually, is that token management is only entrusted to trusted resources in your (secure) network instead of the user's laptop which should be considered compromised by default. To make this as secure as possible, it would be smart to harden that network and the resources.

Hope this answers your question?

Cheers,