Session or local storage is what I use nowadays. You need to take measures against csrf when using cookies, but local storage is only accessible for your JavaScript so as far as I understood the documentation of multiple auth providers it is not necessary in the case that you don't use cookies for any sensitive data.
You still need to watch out for people inserting malicious js into your app of course.