Authorization Code Flow Implementation: Access Token vs Cookie-Based Authentication from Browser

I have a regular web app, with a browser client and a database that lives on the server, with the backend written in Go. The database can save access tokens.

I have tried to implement Authorization Code Flow ( I’m confused about whether or not I should be using the access token and exposing it in the browser React code. I have seen recommendations from Auth0 that the access token should be stored in the server if possible (for example, see here: Which is the best way to store the auth0 token for a web app); but does this mean that I may allow the client React code to use the access token?

In order to avoid exposing the access token to the browser and React client code at all, I have implemented a cookie-based authentication mechanism. Upon logging in, a cookie is stored in the browser, and then this cookie (sent via HTTP request) is used in the backend to retrieve an access token from my server-side database. This access token is then validated and used upon every API request to my server.

Is this implementation reasonable?

An alternative (which I have not implemented) is to have the server send the access token (after authorization code flow completes) directly to the browser, where it will be used (and not stored) in the React Javascript code. Then upon every API request to my server, the access token would be attached to the ‘Bearer’ header of the HTTP request. If the user has a valid cookie, they would receive a token from the server (not just when code flow completes).

Let me know which implementation is preferred.

1 Like

facing a similar situation. any preferred method you found?