0

Background

I have an authentication microservice that handles the user authentication and returns 2 JWT cookies (access_token and refresh_token).

I want to incorporate an API gateway that does the JWS validation on only the access token that is sent in the cookies.

The concerns

Most API gateways do not support cookie validation, they expect JWT to be passed in the authorisation headers and cookies get sent with every request by the browser regardless.

Questions

What are the potential solutions to the above problem such that I do not have to extract the access token to be put in the authorisation header and send it with both access and refresh token cookies?

The last resort is to build custom plugins for API Gateways. I want to be able to deploy it over different API Gateways with minimal configuration.

I have also considered a hybrid approach where the refresh tokens get stored in the localstorage and access tokens in the cookies but the issue of extracting the access token from the cookie to put it in the authorisation header still remains and I would prefer to use cookies over localstorage.

What is the industry standard and or best practices for this? From what I understand based on this IETF Best practices draft they recommend not to use cookies as a medium of storage for browser-based javascript applications.

Improve this question
2
  • Why are you so set on using cookies for authorization, instead of using the methods designed for that purpose (i.e. the Authorization header)?
    – Bart van Ingen Schenau
    Commented Jul 19, 2023 at 6:36
  • I am not too sure how to best secure tokens if they are stored in localstorage. Hence, overreliance on cookies.
    – Neil
    Commented Jul 20, 2023 at 2:53

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.