I'm working on integrating OAuth 2.0 token management via Stormpath into my application. Currently I'm storing the access token in a cookie by building a cookie like so:
public Cookie buildAuthCookie(OauthGrantAuthenticationResult ogar){
Cookie authCookie = new Cookie("authCookie", ogar.getAccessTokenString());
authCookie.setSecure(true);
authCookie.setHttpOnly(true);
return authCookie;
}
and attaching it to my response like so:
response.addCookie(buildAuthCookie(ogar));
Is the only thing I need to attach to the cookie from the OAuthGrantAuthenticationResult the access-token or is there something else I need to add? The documentation I've been reading (http://docs.stormpath.com/guides/token-management/) seems to have the client passing the token-type as well but is that something I need to pass to the client in a cookie?
The result form the Stormpath API does provide the token_type attribute, defined as Bearer, as that's the expected default from an OAuth endpoint. The idea is to inform the client how the token should be used to authenticate future requests, the default strategy being as an HTTP header Authorization: Bearer <token>, where <token>is the compact token string that you got from getAccessTokenString()
But in your case you're going to store it in a cookie, and the browser will send it back in a Cookie header, nice and simple :) so there's no need for the client to know much else about the token. However you should set the expiration time of the cookie to be the same as the expiration time of the token, so that the browser will automatically purge the token when it is no longer valid.
You're also doing the right thing by making this a secure, http only cookie that can't be stolen by malicious JavaScript, so this approach looks pretty good to me.