Store Access Token and Refresh Token in cookies

Question

I know I could be using OAuth, OpenID or SAML. However, I am wondering if I could take a simpler path given that my apps are running under the same sub-domain and I have CORS properly configured.

• https://admin.mycompany.com/app1
• https://admin.mycompany.com/app2
• https://admin.mycompany.com/app3
• https://admin.mycompany.com/login (Single Sign On)

These apps are either built in React or server side Razor Pages with Antiforgery Token.
For these two types of apps, would it be ok storing?

• Access Token in a Cookie accesible from javascript (short-lived) (JWT)(<4Kb)
• Refresh Token in a Cookie not accesible from javascript (HttpOnly) (long-lived)

Answer 1

The following is in line with OAuth patterns. Hopefully the pointers move you forward a little, though I am not aware of factors such as the data sensitivity of your apps.

REFRESH TOKEN

If you store this in a cookie then use these properties:

• SameSite=strict
• HTTP Only
• Secure
• Domain=admin.mycompany.com
• Path: /login/refresh

ACCESS TOKEN

Do the same and use a different path if required. Avoid use of non HTTP Only cookies since malicious code in the browser could then grab tokens by reading document.cookie.

Another option is to send the RT cookie to get an access token to the browser and store it in memory - see BFF TMI.

Note however that access tokens in the browser are discouraged since they have more risks and require more mitigations - see this video.

ENCRYPTION

Encrypt cookies containing tokens using AES256 and a secret only known server side.

SCOPING

Ideally each app should redirect and get its own independent tokens, since otherwise there is a risk that an App1 user has App3 permissions - make sure your back end authorization deals with this.