Storing access and /or Id tokens in cookies is best avoided, yes it is possible to store them securely, however if not done correctly its easy for them to be insecure. Also its easy to break the 4k cookie limit, I know I've just been caught out. You could use the ChunkingCookieManager but then if you are on .Net MVC app you will fall foul of the cookie monster bug https://dzone.com/articles/catching-systemwebowin-cookie https://www.nuget.org/packages/Kentor.OwinCookieSaver What's worse is will fail silently, so I've now moved to having only an encrypted reference token in a cookie and the refresh token. The reference token is then used to fetch the real token from a memory cache