Storing access tokens in HttpOnly Secure SameSite=Strict cookie?


Proxy Server

  • handles domain and routes requests

Micro Frontends

  • domain/app1, domain/app2, etc.

Distributed APIs

  • domain/api/app1, domain/api/app2, etc.

Proposed Flow:

  1. Auth flow started by user using auth code grant
  2. Backend receives auth code grant, exchanges for access token, and sets the token as a cookie w/ HttpOnly Secure SameSite=Strict
  3. One of the micro front-ends tries to make a request to an API
  4. The proxy server receives the request and moves the cookie value to the Authorization header as a Bearer token before sending the request to the respective API service

I felt the following configuration on the cookie would make this a reasonable approach:

  • HttpOnly protects against XSS attacks and prevents JS code for reading the cookie
  • SameSite=Strict protects agains CSRF

Would this be considered good/safe practice? I have been told storing access tokens in the browser anywhere is not safe/encouraged.