Storing access tokens in HttpOnly Secure SameSite=Strict cookie?

sam2099 · April 19, 2024, 8:10pm

Setup:

Proxy Server

Micro Frontends

Distributed APIs

Proposed Flow:

Auth flow started by user using auth code grant
Backend receives auth code grant, exchanges for access token, and sets the token as a cookie w/ HttpOnly Secure SameSite=Strict
One of the micro front-ends tries to make a request to an API
The proxy server receives the request and moves the cookie value to the Authorization header as a Bearer token before sending the request to the respective API service

I felt the following configuration on the cookie would make this a reasonable approach:

HttpOnly protects against XSS attacks and prevents JS code for reading the cookie
SameSite=Strict protects agains CSRF

Would this be considered good/safe practice? I have been told storing access tokens in the browser anywhere is not safe/encouraged.

Topic		Replies	Views
Authorization Code Flow Implementation: Access Token vs Cookie-Based Authentication from Browser Help	2	5854	September 1, 2022
Where to store refresh token on WEB? JWT.io jwt , login	2	4811	July 8, 2019
Isn't storing a JWT in a non-httponly cookie just as insecure as local storage? JWT.io cookie , localstorage	4	9203	August 21, 2020
Securing access tokens in SPA + API Help spa , rest-api	4	5500	August 2, 2019
Request to use HttpOnly Cookies for Auth0 Authentication Help classic-universal-login-experience , login-experience	3	2750	February 15, 2023