Storing access tokens in HttpOnly Secure SameSite=Strict cookie?

Get Help
,
1

Setup:

Proxy Server

  • handles domain and routes requests

Micro Frontends

  • domain/app1, domain/app2, etc.

Distributed APIs

  • domain/api/app1, domain/api/app2, etc.

Proposed Flow:

  1. Auth flow started by user using auth code grant
  2. Backend receives auth code grant, exchanges for access token, and sets the token as a cookie w/ HttpOnly Secure SameSite=Strict
  3. One of the micro front-ends tries to make a request to an API
  4. The proxy server receives the request and moves the cookie value to the Authorization header as a Bearer token before sending the request to the respective API service

I felt the following configuration on the cookie would make this a reasonable approach:

  • HttpOnly protects against XSS attacks and prevents JS code for reading the cookie
  • SameSite=Strict protects agains CSRF

Would this be considered good/safe practice? I have been told storing access tokens in the browser anywhere is not safe/encouraged.

2

Hi @sam2099,

Welcome to the Auth0 Community! Answering this since it might help others as well.

Your understanding is very on point! Generally storing access tokens in the browser directly is not recommended, but Auth0 recommends storing tokens in browser memory as the most secure option. Using Web Workers to handle the transmission and storage of tokens is the best way to protect them, mentioned in our documentation as well.

However your approach is quite solid as well, since sending an encrypted cookie mitigates risks against XSS or CSRF attacks . This blog post on Secure Browser Storage provides a detailed information on the matter.

Thanks,
Remus