Closed johakoch closed 1 year ago
Sounds like a reasonable middle ground, noting that you do lose out on some protections of avoiding the tokens ever hitting the browser.
Now that I think about it, a better option would be to encrypt the tokens with a key known only to the proxies, that way the token value itself is never available to the browser.
I don't know if this needs to be called out specifically, since this type of "encrypted-cookie-as-stateless-storage" pattern is pretty commonplace.
In some cases, the BFF proxy itself may not be able to store access tokens, e.g. if it is a load-balanced gateway without a centralized persistence layer. However, the BFF proxy can make the browser store the tokens as
HttpOnly
cookies (with a configurablePath
) by adding aSet-Cookie
response header.What do you think?