The overall example is fine - but the main difference is that you won't want to expose the access token to the user in a cookie - you should provide some type of infrastructure which will swap the a user cookie (this can be as simple as a simple randomly generated code or as complicated as a signed JWT) for the backend access token.