I went the wrong way, shouldn't use launchWebAuthFlow here, set host_permissions in manifest file can access cookie of the website, then can reuse the auth process in my website.