Storing access tokens in HttpOnly Secure SameSite=Strict cookie?

sam2099 · April 19, 2024, 8:10pm

Setup:

Proxy Server

Micro Frontends

Distributed APIs

Proposed Flow:

Auth flow started by user using auth code grant
Backend receives auth code grant, exchanges for access token, and sets the token as a cookie w/ HttpOnly Secure SameSite=Strict
One of the micro front-ends tries to make a request to an API
The proxy server receives the request and moves the cookie value to the Authorization header as a Bearer token before sending the request to the respective API service

I felt the following configuration on the cookie would make this a reasonable approach:

HttpOnly protects against XSS attacks and prevents JS code for reading the cookie
SameSite=Strict protects agains CSRF

Would this be considered good/safe practice? I have been told storing access tokens in the browser anywhere is not safe/encouraged.

Topic		Replies	Views
For cookie containing access_token, setting secure = false, is that bad practice? Help	1	1532	November 2, 2022
SPA and tokens storage Help security-question-concern , security-compliance	4	366	May 1, 2024
Token from "getAccessTokenSilently" in frontend insecure? JWT.io api , security	6	255	June 21, 2024
Alternative to local storage for storing token Help	10	14182	September 3, 2019
Cookies Not Marked as Secure and Cookies Not Marked as HttpOnly Help security-question-concern , security-compliance	1	1728	August 28, 2024