Is storing an OAuth 2 token in cookies bad practise? If so, what are alternatives for a web app?
Cookies have maxSize of 4kb. So if you are saving a lot of info in the token - you will get an error.
I definitely wouldn't do it. When security is involved you should not store stuff, in places where others can access it. So don't store it anywhere, especially client-side.
That being said, it's not bad practice, per se if handled properly. See this comprehensive article about it.
Whether you can store the access_token in cookies depends on following things:
I hope this helps.