Say I have a service that has two domains
app.myapp.com
api.myapp.com
My app does the whole OAuth/OpenID flow.
app.myapp.com/oauth
app.myapp.com/oauth/callback
In the /callback I set the accessToken as an http-only cookie on the current domain (app.myapp.com).
I have an assortment of microservices that live on api.myapp.com, all of which require an accessToken to work.
In the /callback stage of the OAuth flow, can I specify the other domain in my http-only cookie?
I am using Go + Gin
c.SetCookie(
"accessToken",
accessToken,
3600,
"/",
"",
false,
true,
)
Well, it depends. In general, no, you cannot set cookies for a different domain.
But you can set cookies for all subdomains of a domain you "control" (read RFC 6265 and publicsuffix.org for details) by setting the Domain attribute of a cookie.