Storing bearer token in cookie for file retrieval in another tab
The existing system involves storing the bearer token in a cookie to fulfill a customer request of not only downloading an attachment within the application but also opening it in another tab. This is achieved by utilizing the client application, which operates in SPA (React), with Spring Boot as the backend. Security is maintained through the OAuth2.0 (Implicit Grant Type) flow in association with Keycloak. Please note that this functionality is limited exclusively to file downloads.
To facilitate the aforementioned process, the token is preserved in a session cookie with a lifespan of five minutes - a duration that also applies to the token itself. Our backend incorporates a custom bearerTokenResolver to retrieve the token from the header. The token attached to the cookie is only utilized under specific conditions - when the header is not present, the request is a GET request, a cookie is provided to the request, and the requested URL matches a certain pattern.
However, I remain uncertain about the overall security of this method. Is it a safe practice to store the JWT token as a cookie? It should be noted that it's the client that sets the cookie, so it's not a HTTP-only cookie. On a positive note, the cookie is temporary and can only be used for specific URLs. Yet, the principal query at hand - is the security of this method sufficient?
