I have a bunch of subdomains: auth.example.com, api.example.com, dashboard.example.com, and reports.example.com. The reports site, by default, displays some basic reports (i know, duh).
Now if a user logs in to the dashboard via the auth page (hosted on the dashboard and auth subdomains, respectively), i want to display a bit more data. The trick is that both the dashboard and the report site is a PSA that fetches data from the API. The report endpoint of the API optionally accepts an OAuth2 token and, if present and has the necessary access rights, will respond with the extended data set.
The question is, how should i share the access token? Storing the token in a non-HttpOnly cookie (i canʼt use a HttpOnly cookie since the data exchange happens in AJAX requests). Is there a better way?
Gergely Polonkai
You have to believe in things that are not true. How else would they become?
OK, reading my own question after i solved this problem is kind of embarrassing, given how easy the solution is. I fell in the X-Y problem trap.
Iʼm doing OAuth2 here. That means different consumers of the API (api.example.com) can, and actually should have different access tokens, all obtained from the authorisation server (auth.example.com).
Iʼm glad this question didnʼt get too much exposure 😁