My question is : Is this approach correct given I have a non-Oauth service? My goal is to use the simplest amount of security features while still being as strong as possible.
My approach is as follows and I am asking for feedback on whether i am making a mistake here in my thinking.
- Client can authenticate with an Oauth provider.
- Client receives encoded JWT.
- Client sends signed JWT to service.
- Service verifies JWT. Since my service is not an Oauth based service I dont provide an access token.
- Instead I send back a stripped down version of the JWT with HttpOnly, SameSite Strict cookie.
- Client never keeps the original JWT anywhere.
- For authorization i simply look at the provided cookie.
- I use POST for state-changing operations and never GET to adhere and derive the benefit of SameSite.
- I can ignore CSRF tokens because SameSite gives me the benefit of not needing to use Double Submit (Header + cookie)
