OAuth 2.0 Authentication: try to avoid .AddCookie and just want to use .AddOAuth only

Hello everyone,

I got the chance to reinvent this application [1] with .NET Core 2.2, AspNetCore and Docker.
This repository is an out-of-the-box easy-to-use sample application for our API and OAuth 2.0 Service.

Everything works very well, but there is a point that I do not fully understand.

I want to use this application without any usage of a cookie. All neccessary OAuth credentials (Client ID, secret, access token and refresh token) are stored in json files. The user should be able to use this application even in a fresh incognito session, just with the stored credentials.

I tryed to set the ".AddOAuth" as the default, but there is no "OAuthAuthenticationDefaults.AuthenticationScheme". I also had tryed "UseJwtBearerAuthentication" but all examples, are completly different to the OAuth part. My code only works with ".AddCookie" and "CookieAuthenticationDefaults.AuthenticationScheme". :(

In [2] I postet a snippet of my code.

My Questions are:

• I know the advantage of using cookies but is there an other important reason why I need cookies here?
• Could someone point me to an example which uses OAuth (with Microsoft.AspNetCore.Authentication.OAuth) without usage of cookies?
• Is there a way, to use the OAuth creadentials with the baererAuthentication?

I spent hours in researching about this topc :(

Thanks a lot, Robert

[1] https://github.com/Sage/sageone_api_csharp_sample

[2] This snippet is from https://github.com/Sage/sageone_api_csharp_sample/blob/bfe10ba405ec5f7f488995879b308cc3f48ac39c/app/Startup.cs#L56

services.AddDistributedMemoryCache();
      services.AddSession(options =>
      {
        options.Cookie.HttpOnly = false;
        options.Cookie.IsEssential = true;
        options.IdleTimeout = TimeSpan.FromHours(1);
      });

      services.AddMvc();
      services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();

      services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
          .AddCookie(o => o.LoginPath = new PathString("/login"))
          .AddOAuth("oauth2", "Sage Accounting", o =>
          {
            o.ClientId = config_client_id;
            o.ClientSecret = config_client_secret;
            o.CallbackPath = new PathString("/auth/callback");
            o.AuthorizationEndpoint = AUTHORIZATION_ENDPOINT;
            o.TokenEndpoint = TOKEN_ENDPOINT;
            o.SaveTokens = true;

            o.Scope.Add("full_access");
            o.Events = new OAuthEvents
            {
              OnRemoteFailure = HandleOnRemoteFailure,
              OnCreatingTicket = async context => //async
              {
                int tok_expires_in = (int)context.TokenResponse.Response["expires_in"];
                int tok_refresh_token_expires_in = (int)context.TokenResponse.Response["refresh_token_expires_in"];

                tokenfileWrite(context.AccessToken,
                                calculateUnixtimestampWithOffset(tok_expires_in),
                                context.RefreshToken,
                                calculateUnixtimestampWithOffset(tok_refresh_token_expires_in),
                                context.HttpContext);
                return;
              }
            };
          });
    }