I am learning about different Oauth2 flows but it does not provide any guidelines on securely persisting different kinds of access tokens in different scenarios and I could not find relevant information on the topic by Google-fu.

I am wondering if is it safe to save access tokens in a secure frontend context like httpOnly cookie and optionally directly calling the api from the browser without proxying it through the application server?

It appears more secure to me because access tokens unlike passwords cannot be hashed, the means to recover all access tokens (if encrypted) must exist on the server otherwise it would not be able to call the service on behalf of the user. So, were the application server compromised so would the access tokens of all users.

Am I missing some context here or is it correct?

CodePudding user response：

If you think about sharing your own access token with some users user agent (browser), then this solution is never secure. The user agent (browser) is something working totally on behalf of the user. The user, if he wants to, may have access to any kind of resource the user agent operates with. Sharing a token with the user agent is like sharing the token with the user himself.

CodePudding user response：

Whichever method you choose, you need to ensure your backend verifies the token (e.g jwt).

You probably wouldn't need to verify a secure cookie because a secure cookie cannot be accessed/modified by the browser.