openid connect 2.0 and setting authentication JWT in http only cookie

Question

Since local storage and session storage are both accessible via JavaScript it is best not to store the authentication JWT in either of them to avoid XSS attacks.

Since OpenID connect 2.0 is performed on a separate domain how do we set a server-side HTTP only cookie that contains the authenticated JWT?

My guess is this:

1. The user goes to your website then clicks sign-in.
2. The user gets redirected to the 3rd party OpenID connect 2.0 provider.
3. The user signs in and is now redirected to the route of your choice www.example.com/myredirectlogin.
4. The user's browser then makes a get request when the redirect lands on my route and it passes in the JWT token in the URI.
5. The server then validates the JWT via Asymmetric algorithm with the public key given by the provider.
6. The server then returns a server-side HTTP only cookie with the JWT as the value and the client-side doesn't have any recollection of the JWT since it was only in the URI and isn't stored anywhere else.

My question is: Is the above the correct process to securely handle OpenIDConnect 2.0 flow?

Answer 1

I found the answer within authorization code flow: https://connect2id.com/learn/openid-connect

List of steps

OAuth 2.0 and OIDC Authorization code flow

1. The user hits your website's login route
2. The user is redirected to an identity provider with a proper tenant id
3. The user is authenticated and is redirected to your callback route with an access token in a query parameter i.e. &access_code=234234sdfkljsak.
4. a get request is executed on your web server at the callback route with the access token in the query parameters.
5. this callback get route should then make a post-call to retrieve an actual JWTidentity token from the provider i.e. azure b2c and it will add the access token as part of the request either as a query parameter or post of body.
6. the provider (Azure B2C) then will respond with an identity JWT token that we will send back to the user's browser as an HTTP-only session cookie that way the user is now SSOed among all browser tabs and the cookie will be sent with every request automatically and is protected from xss.

Answer 2

I'm assuming you mean the "Id Token" when you say "authentication JWT", since that's the only JWT required by OpenID connect.

All the flows that OpenID connect supports are listed in the spec. If you want to log in to the authorization server and authenticate to a separate site, then you will often use the "authorization code" flow which doesn't send the ID token to the browser at all. There are other flows defined by OpenID connect, but none of them mention storing the ID token in a cookie - how the session is maintained between the client (the site you're authenticating to) and the browser is a separate issue from authenticating the user.