Setup:
Proxy Server
- handles domain and routes requests
Micro Frontends
- domain/app1, domain/app2, etc.
Distributed APIs
- domain/api/app1, domain/api/app2, etc.
Proposed Flow:
- Auth flow started by user using auth code grant
- Backend receives auth code grant, exchanges for access token, and sets the token as a cookie w/ HttpOnly Secure SameSite=Strict
- One of the micro front-ends tries to make a request to an API
- The proxy server receives the request and moves the cookie value to the Authorization header as a Bearer token before sending the request to the respective API service
I felt the following configuration on the cookie would make this a reasonable approach:
- HttpOnly protects against XSS attacks and prevents JS code for reading the cookie
- SameSite=Strict protects agains CSRF
Would this be considered good/safe practice? I have been told storing access tokens in the browser anywhere is not safe/encouraged.