BFF proxy storing access tokens in browser as `HttpOnly` cookies

[johakoch]

In some cases, the BFF proxy itself may not be able to store access tokens, e.g. if it is a load-balanced gateway without a centralized persistence layer. However, the BFF proxy can make the browser store the tokens as HttpOnly cookies (with a configurable Path) by adding a Set-Cookie response header.

What do you think?

[aaronpk]

Sounds like a reasonable middle ground, noting that you do lose out on some protections of avoiding the tokens ever hitting the browser.

[aaronpk]

Now that I think about it, a better option would be to encrypt the tokens with a key known only to the proxies, that way the token value itself is never available to the browser.

I don't know if this needs to be called out specifically, since this type of "encrypted-cookie-as-stateless-storage" pattern is pretty commonplace.