OAuth Cookies Not Set to HttpOnly
Last Updated:
Overview
This article discusses the purpose of the okta-oauth-nonce, okta-oauth-redirect-params, and okta-oauth-state cookies set by Okta's JavaScript libraries and why they are not set to HttpOnly.
Applies To
- AuthJS and its related libraries (Sign-in Widget, Angular, React, and Vue)
Cause
When Okta's JavaScript libraries are used to complete the login flow for an OpenID Connect (OIDC) application, it will store parameters used to complete the flow within the following cookies:
okta-oauth-nonceokta-oauth-redirect-paramsokta-oauth-state
These cookies are used to track parameters used in the OpenID Connect flow (for example, Authorization Code Flow) so that the application is able to persist these values.
Solution
As these cookies are being set and then read by the Okta JavaScript libraries, they must not be set to HttpOnly so they can be used by the library to complete the user login flow. If the cookies were set to HttpOnly, it would not be possible for the JavaScript libraries to read them to complete the OpenID Connect flow.
