Netlify-Identity storing access_token in localStorage and custom roles lookup

We’re investigating so no site yet. We do have one using netlify-identity, but it’s a different configuration from what we’re looking into.
No DNS issues
No Build problems.

We’re investigating netlify-identity again for a project but I am concerned about it storing the access_token in localStorage. Is that something to be concerned about or a custom solution to prevent it?
In addition we would like to use a “scope” claim inside of the JWT token instead of “roles” or “metadata.roles”, is this something configurable through the _redirects file now or is this still something without a UI or API to change?
Thanks
Andy

Storing the JWT in localstorage is pretty standard. The only time you would need to be concerned is if your JWT secret becomes known but if you are using netlify Identity, there’s no chance of that since even you won’t know it. You’ll just need to make sure you verify the token against Identity.

For _redirect rules, you are only able to gate content based on roles. This isn’t something you can configure or accomplish currently. You might be able to gate content based on a scope claim in a future feature, but I don’t have an ETA on when such a feature would be released.

Apps do this for sure but it’s not secure and strongly discouraged. The token is supposed to be stored in a secure http only cookie instead. BTW That was the
reason for our request to support multiple cookies in lambda a while ago. We needed to use it to store our auth0 id and access tokens along side of our nf_jwt tokens as secure http cookies.

I do understand. A related question was asked in the gotrue-js repository and you can see the response from one of our engineers here: https://github.com/netlify/gotrue-js/issues/168#issuecomment-689980609.

The gotrue-js client can be enabled to set a cookie via the setCookie, which I think you are already aware of.

Chiming in from the sidelines just to address your last point @richtera: I believe that we did recently ship a PR to implement multiValueHeaders in functions