I know I could be using OAuth, OpenID or SAML. However, I am wondering if I could take a simpler path given that my apps are running under the same sub-domain and I have CORS properly configured.
These apps are either built in React or server side Razor Pages with Antiforgery Token.
For these two types of apps, would it be ok storing?
The following is in line with OAuth patterns. Hopefully the pointers move you forward a little, though I am not aware of factors such as the data sensitivity of your apps.
REFRESH TOKEN
If you store this in a cookie then use these properties:
ACCESS TOKEN
Do the same and use a different path if required. Avoid use of non HTTP Only cookies since malicious code in the browser could then grab tokens by reading document.cookie.
Another option is to send the RT cookie to get an access token to the browser and store it in memory - see BFF TMI.
Note however that access tokens in the browser are discouraged since they have more risks and require more mitigations - see this video.
ENCRYPTION
Encrypt cookies containing tokens using AES256 and a secret only known server side.
SCOPING
Ideally each app should redirect and get its own independent tokens, since otherwise there is a risk that an App1 user has App3 permissions - make sure your back end authorization deals with this.