Is it safe to store access_token in cookies in Code Grant flow?

Question

I am using Cognito's Authentication Code Grant. After logging in, a user is given a code inside the callback URL which is later exchanged for an `access_token`.

In my web application, after logging in, a user can access a "console" (similar to AWS). Each time the user interacts with the console (like accessing a service) it does it through an api in API Gateway.

Unauthenticated users should not access the console and all its services. Hence, the way I am doing this is that every time the user wants to make a request to these REST endpoints the `access_token` is required.

However, this `access_token` should be stored somewhere so that the user can pass it in the request headers for later calls.

Where should this `access_token` be stored?

Which is the right way to do this? Maybe requiring the `access_token` in every API endpoint is not right?

Answer

Hi apssg,

You can store your access tokens on client side (local storage/http cookie) or server side in a DynamoDB database, depending on your security and requirements level. Bear in mind that client side is vulnerable to XSS attack.

Moreover, on dynamo you can delete old tokens via Time To Live feature enabled and should be more secure.

It is a good practice to always pass access token as Bearer token in the Authorization header so that you can protect your application with short lived authorization mechanism.

Hope it helps.

Is it safe to store access_token in cookies in Code Grant flow?

Relevant content